Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 1 of 105 EXHIBIT 4 FILED 1+ NOV 2313: Form 40 (version 2) UCPR 35.1 AFFIDAVIT OF Craig 3 Wright 31court Division General Division Common Law List General Registry Sydney Casenumber 2013 I 225983 2013 I 245661 Plaintiff Craig Steven Wright (ABN 97 481 146 384) Defendant INFO DEFENSE RESEARCH LLC .. Plaintiff Contact name and telephone Craig 8 Wright 0417 683 914 Contact email Craig 8 Wright (craigswright@acm.org) Case Document 24-4 Entered on FLSD Docket 05/14/2018 2 Page 3 of 105 Name Craig 8 Wright Address 43 St Johns Ave 0 on Occupation Director/ Le . Date magi: 440, 24555 I affirm: 1. i am the plaintiff. 2. i believe that the information contained in this affidavit is true. 3. The defendant is indebted to the plaintiff in respect of the balance of the cause of action 2013 I 225983 for which this action was commenced in the amount of $28,254,66600 together with interest on the principal sum from the date of the cause of action to today?s date of $156,755.34 caiculated as follows: Period Days Rate p.a. Debt Amount Interest 25 Jul 2013 23 Aug 93 days $28,254,66600 $488,637.81 2013 6.750% $5,254.17 per day until entry ofjudgment Total: $28,743,30381 The defendant is indebted to the plaintiff in respect of the balance of the cause of action 2013 I 245661 for which this action was commenced in the amount of $28,254,666.00 together with interest on the principal sum from the date of the cause of action to today?s date of $156,755.34 calculated as follows: Period Days Rate p.a. Debt Amount interest 25 Jul 2013 23 Aug 93 days $28,534,049.79 $490,746.57 2013 6.750% $5,254.17 per day untit entry of judgment Total: $29,024,79636 Since the commencement of this action no payments have @de or credits accrued. The amount for filing, issuing and serving of the statement of claim hereingW/ not been paid is ?gm/Z Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 4 of 105 3 7. The amount of solicitor's costs calculated in accordance with the Locai Courts (Civil Ctaims) Rules, which has not been paid is 8. The Statement of Claim was served on the defendant on 26 Jul 2013 by leaving it with the Defendant at the registered address for service of: David A Kleiman 3119 Contego Lane Palm Beach Gardens Fl 33410 USA 9. The Statement of Claim was served on the defendant on 26 Jul 2013 by mailing it with the Defendant at the registered mailing address for service of: David A Kleiman 4371 Northlake Bivd #314 Palm Beach Gardens Fl 33410 USA 10. The defendant is a US LLC based in Florida USA. The US resident director was David A Kleiman. (Appendix A). 11. The market rate (at this date) for the contract quantity of Bitcoin (Currency Code XBT) on Xecom is 67,863,95423 at a market rate of 1 XBT 226.213 AUD 1 AUD 000442061 XBT. 12. A contract was formed in April 2011 (Appendix B). 13. 300,000 Bitcoin and a series of software projects was to be paid in 2013 as consideration for this agreement. 14. On 02 Feb 2013 the agreement to pay the 300,000 Bitcoin was noted in an email of Dave Kleiman to Craig Wright noting the verbal agreement to start a Bitcoin exchange based on the mined Bitcoin of Mr Kieiman and the returned amounts paid as consideration. 15. The company, PTY. LTD. ACN 163 338 467 was started on 17?? Apr 2013 with an agreement for Mr Kieiman to transfer the remaining capital from the contract (B) in repayment as wait as to inject a further amount of capital into the company on or before 30?? April 2013 Appendix D). 16. The contract was associated with an invoice to be paid $34,862,32300 22Apr 2011. This was paid in fuii. r" ,2 Case 9:18?cv?80176?BB Document 24-4 Entered on FLSD Docket 05/14/2018 Page 5 of 105 4 17. Mr David A Kleiman died on 26th April 2013 (US time) (Appendix F). 18. The transfers made into info Defence (Appendix G) were completed in April 2013. These are pseudo anonymous but public. The details have been supplied in Appendix G. Details of these transactions have been given to the Australian Tax Office for tax purposes. 19. The Bitcoin addresses used have been independently validated by NSW Solicitors under oath (Appendix H). 20. Work and research was conducted under the US Dept. of Homeland Security DHS BAA Appendix Appendix (0) Appendix 21. Mr Kleiman noted that screening software was developing in unwarranted manners and I noted that our software was looking at being better in an email (Appendix L). 22. The coversheets for the Directorate projects are included in Appendix 23. On 01st August 2013 a shareholders meeting was called for info Defense to be held on the 16?? August 2013. The meeting was emailed to the company address as well as send to the address of the shareholders and company. The shareholding of Info Defense was: 1. Craig 8 Wright 50.0 2. David A Kleiman 50.0 24. The meeting from point 23 meeting was held on the 16th of August 2013. The following people were present: 1. Jamie Wilson 2. Craig 8 Wright 25. Info Defense was an incorporated partnership. All shares are held jointly. The constitution states there is to be a resident US director. Shares were held jointly as per the US Companies Act, 1956. ,2 26. The following points were moved at the meeting: Case 9:18?cv?80176?BB Document 24-4 Entered on FLSD Docket 05/14/2018 Page Jamie Wilson will act as director for the purposes of consenting to orders and the company to be wound down. 2. The vote was Craig Wright ?Yes?. No other parties. 3. it was agreed that following the motion to accept the debt owed by the company lnfo Defense LLC), it would be closed. Projects for the development of software started in 2009 under a company named ?Integyrs Pty Ltd? (Appendix N). The development of the software was extended considerably in the period between 2011 2013. I discovered that Mr Kleiman died before transferring the required funds on the 29?h April 2013. The payment was planned for 30th April 2013. Mr Kleiman was not added as a shareholder and director of Coin~Exch Pty as was planned to occur on the 30th Apr 2013 as a consequence. Case 9:18?cv?80176?BB Document 24-4 Entered on FLSD ket 05/14/2018 Page 7 of 105 6 AFFIRMED at Signature of deponent Name of witness Cy 2125 L0 Address of witness 2f/{03 NEIL 237 Capacity of witness (9 And as a witness. lcerti th Itowing tt conc ning the ?p'erson rho ma Idavit (t ponent}: lSdu-J? . er 2 i have con?rmed the deponent?s identity using the following identification document: New ldenti? ion doc ent elied be original or certi?ed copy)1 Signature of witness Note: The deponent and witness must sign each page of the af?davit. See UCPR 35.78. etath Spirit) Weiss assets twinsersaaytzd Concord Risw 2437 02 9833433 {34124}? 535 [1 "identi?cation documents" include current driver iicence, proof of age card, Medicare card, credit card, Centrelink pension card, Veterans Affairs entitlement card, student identity card, citizenship certificate, birth certi?cate, passport or see Oaths Regulation 2011 or JP Ruling 003 - Con?rminq identity for NSW statutorv dectarations and affidavits, footnote Case 9:18?cv?80176?BB Document 24-4 Entered on FLSD Docket 05/14/2018 Page 8 of 105 Electronic Articles of Organization . . . 0r . . . Februar' 16 2011 Florida Limited Company tSte}; Of Em 0 me Article I The name of the Limited Liability Company is: was: INFO DEFENSE RESEARCH LLC Article II The street address of the principal office of the Limited Liability Company is: 3119 CONTEGO LANE PALM BEACH GARDENS, FL. US 33418 The mailing address of the Limited Liability Company is: 437]. NORTHLAKE BLVD #314 PALM BEACH GARDENS, FL. US 33410 Article The purpose for which this Limited Liability Company is organized is: ANY AND ALL LAWFUL BUSINESS. Article IV The name and Florida street address of the registered agent is: DAVID A KLEIMAN 3119 CONTEGO LANE PALM BEACH GARDENS, FL. 33410 Having been named as registered agent and to accept service of process for the above stated limited liability company at the place designated in this certi?cate, I hereby accept the appointment as registered agent and agree to act in this capacity. I further agree to comply with the provisrons of all statutes relating to the proper and complete performance of my duties, and I am familiar with and accept the obligations of my position as registered agent. Registered Agent Signature: DAVE KLEIMAN aviti This is the annexure marked with the letter Hematite 19 tile f?d Amamastem:zwitmaclara?anorat CREME 9" foreme W?wm?w en the P8991 ?ees arctic CHARLES MCDONALD Janene at ?re Peace Registration'105t74 Case 9:18?cv?80176?BB Document 24-4 Entered on FLSD Docket 05/14/2018 Page 9 of 105 Article L11000Q19904 The name and address of managing members/managers are: Elle.? Title: MGRM SEC. Of tat DAVID A KLEIMAN tellne 4371 NORTHLAKE BLVD #314 PALM BEACH GARDENS, FL. 33410 US Article VI The effective date for this Limited Liability Company shall be: 02/ 1 4/201 1 Signature of member or an authorized representative of a member Electronic Signature: DAVE KLEIMAN I am the member or authorized representative submitting these Articles of Or anization and affirm that the facts stated herein are true. I am aware that false information submitted in a ocument to the Department of State constitutes a third degree felony as provided for in 3.817.155, PS. I understand the requirement to ?le an annual report between anuaiy and May in the calendar year following formation of the LLC and every year thereafter to maintain "active" status. Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 10 of 105 Craig Wright R843 we 97 48?? 145 334 ifginancer) Befense LLC {Prat/idem 'miarredte mmehf?dam This is ?fe annexure matted with? 18 I 3w HT WWIWamre me at if day on the Pagmmi?pag? swamps MenoNALa Justice dime Peace Registration 1951? Ref: Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 11 of 105 THIS DEED dated 22?? day of April 2011 BETWEEN Craig Wright of Craig Wright (F inancer) And Dave Kleiman for info Defense LLC (Provider) RECITALS A. The Financer controls the following Bitcoin (BTC) addresses: Fp. B. The Provider desires the intellectual property for the permitted use and to extend this for other purposes desirable to both parties. C. The Provider will use the funding for the development of several software products. D. The provider will return the loaned finances (in Bitcoin) on or before 01 July 2013 and 30 Dec 2013. E. The Provider will remain completely confidential on all matters in this deed (including even that family members do not have knowledge of the transaction). F. The financer will send the following amounts (in Bitcoin) to to following address by 30 April 2011: 185,140 BTC G. The financer will send the following amounts (in Bitcoin) to toe following address by 30 August 2011: 50,000 BTC H. The Financer and the Provider wish to record the licence, which has been granted to the Provider to use the intellectual property in accordance with this deed. I. The Financer is the absolute owner of the entire unencumbered cepyright in the works described in the schedule when complete. J. The Financer has agreed to license the works to the Provider and the Provider has agreed to accept such licence on the following terms and conditions. K. The provider will fund the software development using Bitcoin. 2 Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 12 of 105 L. .2 The Financer will provide 1,024 core Xeon and GPU based hardware solution. It is acknowledged that two 861 ICE XE310 512 core hosts have been provided and are in a data centre specified by the provider The provider will use these systems to mine Bitcoin The provider expects to earn 12,000 BTC per month using these systems for the period to 30 June 2013 The systems will be hosted in the US at a facility managed by the provider. The provider will pay for the use of the systems and the loan as follows: (C) 250,000 BTC to be repaid on 30 June 2013 50,000 BTC to be repaid on 30 Dec 2013 The developed software will be exclusively licensed perpetually to the financer (as 0130 June 2013). The software may be used but not distributed by the provider. The contract is complete when 300,000 BTC have been repaid. it is agreed that the value of the loan to be repaid is AUD 20,000,000 in two parts (for a total of $40,000,000). The server systems will return to the Financer at the completion of the contract. On default, the contract is to be repaid in full to Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 13 of 105 OPERATIVE PART Definitions in this deed: is) Business means the business operated ?oy the Prowder described as such in the scheduie: r'x Ci" 4 Business day means a day, not being a Saturday. Sunday Oi" gazetted public hoiiday, on which banks are open tor commercial business where performance of an obiigation under this deed is to take piaoe: (0) Claim means, in teiation to a person. a eiaim. demand, remedy, suit, injury, damage. toss, cost action, proceeding, right of action, chose in action, claim for compensation or reimbursement or liability incurred by or to be made or recovered by or against the person, however arising and whether ascertained or unascertained, or immediate, future or oon?ngent Commencement date means the date so specified in the schedule; Confidential information means all technical and other information and know how, including all information and know how ii?any or machine readable form or other format, disctosed or given to the Provider from any source in respect of or incidental to: The product; (ii) The technology; a The Financer: and (iv) Any other information disclosed or given to the Provider by the Financer which is declared by the Financer to be confidential information; improvements means any improvement modification. enhancement or derivative of the intetlectual preperty arising during the term: (9) Intellectual property means: The oonfidentiai information; (ii) The improvements; The patent; and (iv) The trade matk; Licence fee means the amount calculated and paid by the Provider to the Financer specified in the sohedoie, a, Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 14 of 105 Notice means a written notice. consent approvai, direction, order or other communication: Obligation means any legai, equitabte. c?intractoai, statutory or other obligation, deed. covenant, con?imitrneni, duty, undertaking or liability; Patent means the registered patent patent application including the provisional and complete specdications described in the schedule: it) Permitted use means to conduct the business to exploit market, promote, develop, integrate, research, salt and conduct and any other activity undertaken with respect to the product for profit or reward; (or) Product means the product described as soon in the schedule; Right includes a iegal, equitabte, contractual, statutory or other right, power, authority, benefit, privilege, remedy. discretion or cause of action; to) Technology means all that technicai information which relates to or forms part of the product, including, without limitation, methodology, techniques, drawings, outlines, notes, algorithms, detailed designs. flow charts, results, software: partial or intermediate versions and prototypes, data, formulae and other preprietary information and know how in the Provider?s possession or control or which is revealed to the Provider which relates to the product; Term means the term set out in the scheduie; and z, Trade mark means the registered trade mark, trade mail: registration application and common law trademarks described in the scheduie. x, 2. mterpretation This deed is governed by the taw of NSW and the parties submit to the non? exclusive jurisdiction 02? the courts of that state, in the interpretation of this deed: References to legislation or provisions of iegislation incitide changes or re-enactrnents oi? the legislation and statutory instruments and reguiations issued under the iegislation; (to) Words denoting the singuiar include the piers! and vice versa, words??f denoting individuals or persons include bodies corporate and vice versa; references to documents or deeds also mean those documents or deeds Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 15 of 105 as changed; novated or replaced; and words denoting one gender include all genders: Grammaticai terms of defined words or phrases have corresponding meanings; Parties must perform their obligations or; the dates and times fixed by reference to the schedule; Reference to art amount of money is reterence to the amount in the iawful currency of the Commonweaith of Australiawhich anything is to be done is a Saturday} a Sunday or a public holiday in the place in which it is to be done? then it must be done on the next business day; (9) References to a party are intended to bind their executors. administrators and permitted transferees; and Obligations under this deed affedfgmore than one party bind them jointly and each of them severally. 3. Licence We": The Frnancer hereby grants to the Provrder an exclusive? ircence to use the intellectual property for the permitted use on the terms of this deed. in consideration of the iicence fee payable hereunder the Financer grants to the Provider an exclusive transferrable ticence to copy publish sell or otherwise use the works in the course of its business in Australia and/or Overseas in respect of the whole or any part of the works commencing on Ottl July 2013. in consideration of the iicence hereby granted to the Provider the Provider must payr a one off licence tee of 320000000 (GST exciusive) to the Financer on or before the 30"? June 2013. The provider Wiil aiso transfer the designated account of the provider: 250,000 8T0 to be repaid on 30 June 2013 50,000 BTC to be repaid on 30 Dec 2013 Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 16 of 105 The payment is to be issued in Bitcoin as per the schedule 4. Provider?s promises Undertakings The Provider undertakes to: Use its reasonabte commerciai endeavours to: Preserve the value and validity the intellectoat property; and Create promote, retain and enhance the goodwill in the intellectual property: (ii) During the term and thereafter the termination of this deed not to aliow or tacititate the use, nor exploit the intellectoai property in a manner in any way detrimental to the Financer and not contravene, deny or contest the rights subsisting in the intellectual property, and take such steps as may be appropriate and available to the Provider to prevent the infringement of any and all the rights subsisting in the intellectual property; in connection with the permitted use not give any warranty: (1) Beyond that which the Provider lS obliged in law to give; or (2) Which has not been approved in writing by the Financer; (iv) To use the intellectual property oniy tor the permitted usepano not for Mm- any other use; Treat as confidential the confidential information except that which at the time of its disclosure to the Provider was generally available? or subsequently became known to the pobiic provided aivvays that this covenant shall continue in toll force and effect notwithstanding that this deed has terminated; and (vi) Devote alt reasonable cornmerciai endeavours in the conduct and J, 3 operation of the business. Indemnity The Provider hereby agrees to fatty; etiectoaliy and indemnify the Financer against any toss, either direct or indirect damage or expense whatsoever which the Financer may suffer or incur in respect of: (1) Any breach by the Provider of the provisions of this deed: or 7 Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 17 of 105 (2) Any claim by any person against the Financer arising out of or in respect of the exploitation of the intellectual property by the Provider; and (ii) The Provider hereby irrevocably reieases the Financer and waives ali claims which the Provider may have in the future against the Financer, in respect of any action oiairn or remedy whatsoever in any way attributable to the exploitation of the intellectual property by the Provider. 5. improvements if the Provider develops any improvements, the tiinancer hereby irrevocably: Grants to the Provider the right to appiy for any indieental intellectual property rights available in respect of that improvement and in connection with such application. the Financer shalt: Make. supply and assist in the preparation of all models, plans, drawings or specifications necessary or convenient for the proper understanding or development of the improvements; and (ii) Grant and do alt things necessary to give effect to any-assignment of the intellectual property rights in respect of the to the Provider; Assigns, transfers and sets over absoluteiy to the provider all right title and interest to the improvements including all claims as they relate to the improvements. 6. GST means a goods and services tax as defined in A New Tax System (Goods and Services Tax) Act ??999. In respect of any taxable supply; the Provider must pay to the Financer an additional amount equal to the prevailing GST rate on the supply. The additional amount referred to in this clause is payable at the same time and in the same manner as the licence fee subject to the receipt by the Provider of a valid tax invoice, as defined in A New Tax System {Goods and Services Tax) Act 1999. Case Document 24-4 Entered on 05/14/2018 Page 18 of 105 7. Term and termination /x"yl Term This deed begins on 013? July 201;}? the commencement date and wiil continue for the term unless it is eariier terminated. Termination en notiee Either party may terminate this deed by netice in writing to the other if the other party commits any breach of any provision oi this deed: and has failed to remedy such breach within fourteen days of receipt or? notice specifying: The exact nature of the breach committed by the deiaul 'fng party; and (ii) What is required by the defaulting party to remedy the breach; 8. Licence fee Payment of iioence fee The Provider must pay the iicence fee specified in the schedute to the Financer during the term. Late payment if the licence fee or any other monies payable by the Provider to the Financer remain unpaid for seven days after the due date for payment, whether or not?tormal demand has been made, then the Provider shall pay, in addition to any monies actuaiiy owing to the Financer, interest at the rate of 2% over the bank indicator tending rate nominated by the Financer on such monies from the date the payment actuaiiy felt due untii such monies are recovered and paid to the Financer. 9. Warranties by Financer The Flnancer warrants to the Provider that: The Financer has the power and authority to enter into this deed: and The intellectual property rights granted under this deed wilt not when used in accordance with this deed infringe the intellectual prOperty rights of any person. 2 Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 19 of 105 10. Third party claim 11. Provided that the Provider is not in breach of its obligations under this deed, if a third party makes a ciaim against the Provider alleging that use. of the intellectual property infringes its intellectual property rights, the Financer wilt detend, indemnity and hold harmless the Provider irorn such a claim provided that the: The Provider notifies the Financer in writing prornptiy of the ciaim: (ii) The Provider provides such information. assistance and co? operation as the Financer may reasonably request and at its expense, from time to time: and The Financer has full discretion to defend, compromise or settle any such claim on such terms as the Financer deems fit. If the Financier cannot satisfactorily settle the claim so as to retain ownership of the intellectual property. its will be limited to terminating this deed, and refunding the Provider an amount equal to the portion of any licence fee paid for the period following termination. Nothing in this clause authorises the Provider to defend, compromise or settle any claim on the Financer?s behalf. Limitation of iiability (8) Other than in respect-of a party?s: Breach of the confidentiality provisions of this deed; or (ii) infringement of another party?s intellectual property rights; or (iv) Wilfol misconduct. Indemnification obligations under this deed; or Neither party wilt be liable to the other tor any consequential, special or punitive damages arising out of this deed. Each party?s cometative direct damages wiil be iimited to the iicence fee payable under this deed in the prior tweive month period. This clause survives the termination or expiration of this deed. ?iO Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 20 of 105 ?i2. Assignment No party may assign its rights or obi?igatioris under this deed without the prior written consent of the other which consth may be given or withheld, or given on conditions! it: the absolute discretiori oi" those other parties. 13. Time The parties hereto agree that time shalt io respects be of the essence in regards this deed. 14. Notices A communication required by this deed, by a party to another: must be in writing and may be given to them by being: Delivered or Posted to their address speci?ed in this deed? or as later notified by them, in which case it will be treated as having beemreceived on the second business day after posting; or Faxed to the facsimile number of the party with acknowledgment of receipt received electronically by the sender, when it will be treated as received on the day of sending, or Sent by emaii to their email address: when it will be trea?iedwas received on that day. 15. Waiver or variation A party's failure or delayr to exercise a power or right does not operate as a waiver of that power or right. The exercise of a power or right does not preclude: its future exercise; or (ii) The exercise or? any other power or right; or The variation or waiver of a provisron of this deed or a party?s consent to a departure from a provision by another party wilt be ineffective uniess in writing executed by the parties. ?Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 21 of 105 16? Counterpart This deed may be executed in any number of counterparts each of which will be an original, but counterparts together wit! constitute me and the same instrument, and the date of the deed wilt be the date on which it is executed by the last party. 17. Costs Each party witl pay its own costs at" and to this deed. The Provider Witt bear all duty payable en this deed and keep indemnified the Finance-r in respect of that liability. The Provider wilt bear all GST payable in"??espect of any supply under this deed upon receipt oftax invoice issued by the Financer. 18. Escrow The paper Bitcoih Wailet with address will be hetd by the financer as assurance or the contract and wilt convert to the ownership of the financer or; default of the provider. (to) At! source code and agreements are to be held ihCh/astmartner that the financer can access on default. .4. (Ease Document 24-4 Entered on FLSD Docket 05/14/2018 Page 22 of 105 Deed date: Licence fee: Product: Commencement date: Term: Trademark: Patent: REFERENCE SCHEDULE ow April 203?: 250,000 BTC to be repaid on 30 June 2073 50,000 BTC to be repaid on 30 Dec 2013 {ex for exctus?ve perpetual assignment Sitcom and Exchange Software in code 013? July 201?} Two years At! Marks Associated with COTN and associated marks To be filed If, Wk Ati IP under 1002/003/004 ?Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 23 of 105 SIGNED AS A DEED Executed by 8; Info Defense LLC in accordance with 3/32?" Corporations Act 200"! end its constitution i Dave Kleiman DIRECTOR Executed by Craig Wright (ABM3'[fir I. 15/ fr Craig ;?,Wright a-?essage - ?tv'i'erztirlg ?g ?lm: Remy Fem-Liam ME MI fitme- Ruiz: .. it mafia um Egg UneNnte Manager Remy g? Begam C?ategerize 311mm at Mme Actisans ?r Father Translate.- Maze: Ht Craig, Grand to hearfrom you. New 1 see what has; been 5:3 Eat-3513?. We ate. ahead of where we need to be. Once E3 aetep 13m yew end, I win 1T3 nsfe the 380k ETC: and the software as: agreed. 1 have mined under a "Fictitious ame 'kree'ttin Suntatz. Starry! cannot heip more, but you need to metre qutck. BYC Es cm the. rise. and Esee $200 by 30 Apr. Once ye have the company getegz in wilt transfer the extra with your eminent, The ties doubted what yeu started it wit: end the mftwam setves the iasues with the Merkie tree. Prat Reese times. better math than Etna-pa to tatk to and see you some, -E}ave Respec?u?yf Eta-'st Kieiman - ate. r?eren5icstt??.mm 2:12:55- Mercer Ave, Suite 203 Wes-t {Palm Beach, FL 33431 Main: 561.404.30?4 Street: 561.310.8893. Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 24 of 105 mm? onthe one page on?! Page1 oi I 95935 This is the annexme matkeu with me tatterawiene? to in me A?i de before me at day if Justice 01m 99m 5? cum Reg dam m? DONALD HARLES MG 05 4 ?station 1 WBase Document 24-4 Entererillnrewi?lEiSD Docket 05/14/2018 Page 25 of 105 ASIC Forms Manager Australian Securities 8: investments Commission Company Officeholders Company: COIN-EXCH PTY. LTD. ACN 163 338 467 Company details Date company registered 17-04?2013 Company next review 17-04-2014 dale Company type Australian Proprietary Company Company status Registered Home unit company No Superannuation trustee No company Non profit company No Registered office LEVEL 5 32-38 DELHI ROAD MACQUARIE PARK NSW 2113 Principal place of business LEVEL 5 32-38 DELHI ROAD MACQUARIE PARK NSW 2113 Officeholders WRIG HTs CRAIG ST EVEN This is tie amnesia satis?ii with lg? mmlaf?rmadl . 'i?l??l?l?ieiit Born 23 10 1970 at BRISBANE QLD game 4 Ga? I. 43 ST JOHNS AVENUE GORDON NSW 2072 . . . Onepage 1y Office(s) held: Director, appomted 17-04-2013 Page-109 93955 mHomgmLEsmo?m Secretary, appointed 17?04-201 3 JuatlceoiihePcaoeRegisira?on 195174 Company share structure Share Share description Number issued Total amount paid Total amount class unpaid FOU FOUNDERS 21500000 2150000000 0.00 0RD ORDINARY 20000000 2000000000 0.00 Members PTY LTD 43 ST JOHNS AVENUE GORDON NSW 2072 Share class Total number held Fully paid Beneficially held ORD 17000000 Yes No DENARIUZ SG 108 NAMLY AVE SINGAPORE SINGAPORE Share class Total number held Fully paid Beneficially held 0RD 3000000 Yes Yes WRIGHT CRAIG STEVEN 43 ST JOHNS AVENUE GORDON NSW 2072 Share class Total number held Fully paid Benefici i FOU 21500000 Yes No Case 9:18-cv-80176-BB Document 24-4 Entered on FLSD Docket 05/14/2018 Page 26 of 105 - 2 ?.Date; 4/22/2011 Invoice 1253 w&1< INFO DEFENSE RESEARCH Craig Wright 880 Craig Wright 5280 LLC A80: 97 481 146 384 ABN 97' 481 146 384 4371 NORTHLAKE BLVD A314 51 Cowangarra Rd 51 Cowangan?a Rd 5; 3? PALM BEACH GARDENS Bagnoo new 2446 8agnoo NSW 2446 FL 33410 +0141? 683 91-4 +6141? 683 914 551.310.8801 Customer to 0010001 Customer to cw0001 i dave?davekteiman.com Dave A Kieiman BAA 001 Software NA By Contract Due on receipt 30 Apr 2011 165,140 Bitcoin TC loan 050 0.88 0.88 145,323 . 50,005: - _Bit_c_'oin'_ BTC loan 050 0.88 0.88 44,000 2 361 System 501 ICE x5310 Fease 4,411,500 8,823,000 3 1 3 Software Per agreement 20,000,000 20,000,000 3: 8AA 01w 2; 012mm) 050,000 650,000 . - 0AA 09- .- 2,200,000 2,200,000 8AA 01~ 1,200,000 1,200,000 a - BAA 01~ . BAA-004 0127HWP 1,800,000 1,800,000 Total Discount Sub to tal 34,852,323 34,862,323 :i 2% g? Terms in Advancad security and research th 8 nexure . l? EHISIS la 0 a . lone? (9146?, Watt beforemeai . an the I f: i 0000009031? Page10f page: NICHD ARLES 880050? 11lease Document 05/14/2018 Page I Dave Klei man From Wikipedia, the free encyciopedia Dave Kleiman (1967 - 2013)[11 was a noted Forensic Computer Investigator, an authorz'coauthor of multiple books and a noted speaker Dave Kleiman *at security related Born teqz?m April 26, 2913 Contents wwee Iorida Occupation Forensic Contauter investigator i M. 1 Computer security forensics . Website 2 pubhcatlons ThlSiSiile annexure marketiwllitligflagai 3 3 References QWdebem mat .. External links 1 . . agesmw LAS CH .153th of the Pause Registration 105124 Computer security forensics For a number of years in the 19903, Kleiman was a sworn law enforcement of?cer for the Palm Beach County Sheriffs Of?ce While there, he attained the rank of detective. Also, while at the PBSO, he worked as a System Security Analyst in the Computer Crimes Division and also helped set up the Computer Forensics Lab.[33[4] Dave Kleiman is a regular contributor to a wide array of online forums and mailing lists where he assists network engineers and other IT professionals of varying levels in solving their issues, regardless of the iavel of dif?culty involved. Kieiman is also well known as an advisor to engineering professionals in numerous Date also regulariy volunteers his time and expertise assisting local and federal law enforcement agencies in cases both domestic and international in scope. He is the creator of the "one-shot server lockdown utility? S-iok for Microsoft Windows On January 1, 2007 he was named Microsoft MVP for Windows Security Publications Co-author: Microsoft Log Parser Toolkit; Publishing; ISBN 1-932266-52-6 Co-author: Security Log Management: identifying Patterns in the Chaos; Publishing; ISBN 1-59749- 042-3 a Technical editor: Perfect Passwords: Selection, Protection and Authentication; Pubiishing; 1? 597490416 Technical editor: Winternals Defragmentation, Recovery, and Administration Field Guide; Publishing; 1-59749-079?2 CD and DVD Forensics: Technical Editor, 1?59749-128?4 How to Cheat at Windows System Administration: Contributing Author, Enemy at the Water Cooler: Real Life Stories of insider Threats, Technical Reviewer, ISBN 169749-1292 Rootkits for Dummies: Technical editor, 978-0-?471w917?iO-6 Windows Forensic Analysis Including DVD Tooikit: Technical Editor, 1-59749-156-X The Of?cial CHFI Study Guide (Exam 312?49): Co-Author, ISBN 1-59749-197-7 El ?it References 1. 1?Obituary. Former PBSO deputy dies in his home" form Palm Beach Post. Retrieved May1,2013. 2. a WhatWorks Summit in Forensics and incident Response" an). SANS. Document 05/14/2018 Page "Dave Kleiman" O'Reilly. External links Dave Kleiman's personal web site Palm Beach County Sheriff's Of?ce CastleCops Microsoft MVP Program Microsoft MVP pro?le DE271CODAC2) 3 Retrieved from DaxemKleimanBtoldid=553157307" Categories: 1967 births 2013 diall?s ?were This page as last modified on 2 May 2013 at 06:28. Text is available under the Creative Commons Attribution?ShareAlike License; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia? is a registered trademark of the Wikimedia Foundation, lnc., a non-profit organization. Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 29 of 105 From: Carter Conrad Sent: Tuesday, 30 April 2013 1:23 AM To: Patrick Paige Cc: Bill Long; Greg Kelley; Craig Ball; Matthew Shannon; Jerry Hatchett; Eric Robi; Greg Freemyer; Paul Henry; Craig S. Wright; Scott Moulton?; Wayne Marney; Bob Bell; Bill Dean; Kimon Andreou; Greg Kelley Subject: Dave Kleiman As close friends of Dave, Patrick and wanted to let you know in advance of any general posting that we have lost a dear friend and As most of you are aware Dave was battling an infection from 2010, and had never fully recovered in the 2 1/2+ years that followed. Dave died in his home in Palm Beach Gardens of, what is being told to us, natural causes. At this time no further details are available, although there are plans for a memorial, and these will be pasted on as they become available. Carter Conrad, Jr Computer Forensics, LLC 1880 N. Congress Avenue, Suite 333 Boynton Beach, Florida 33426 Phone: (561) 404?3074 Cell: (561) 502-3935 The information contained in this e?mail message is intended only for the personal and confidential use of the recipientls] named above. This message may be an attorney-client communication and/or work product and as such is privileged and confidential. if the reader ofthis message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. if you have received this communication in error, please notify us immediately by e?mail, and delete the original message. lo 8 Case Page 30 of 105 Home Charts Stats ?ne: Summary Address 2i 15;" a 7 . {HAng 5 .a . :45} Fahjizww?q ?we s? . mews?: eggs-m. Adan?aggm?? m: This is the mm m?k?awim 1% lat?? rete?aatatm -- n61 Yransactions an the ifs-Fax NC). Transactions 2 Pagew?pagas - 0mm Juadee of the Peace Registra?an 1051M Totai Received Final Baiance ?3 7 Request Payment Donation Button Transactiens Filter A 3:13;;332bmg *3eeb?h??ei?e?mg?m 3? h" we; . 2011-08427 02:29:26 ?s 9W $552?; ?j \f M, ff?: . 5/ u? aha?Lia. '26 . . hpiql?IR7thm iUJ'dUi'l-? Case Page 31 of 105 IQ Case Page 32 of 105 Hams Charts Stats Wane? Summary yugg; ?x - x? r? ??ux Address 2:ak?jaa?z?s?was?. 8 hart Lin hi?? bias ('27 Tools Tam: Transactions No. Transactions Total Remixed Finai Balance 1 Request Payment Donation Button Transactions 'Zy?siil E33MRI .7ntZA mam"? .- innM.) Fii?ter 2011434-29 03:20:56 2011-04-29 03:20 :56 Page 33 of 105 ?mu?.1 Page 34 of 105 ?Hame Charts Stats Wa?ei Summary - ~25, g: - . Address amvxaajsja. w. at.? .3 Short Link in; . a? ws." - -v 3 nu? TOOIS aw; ?xii-wharf; it: ?m??cviiaja?. 1. 5:1: I - Transactions No. Transactions 2 Total Received Finai Balance Request Payment Donation Button Transactions Filter 1 3 ?3 52??3I?3f?? ?1-70? Hi 2811-04-29 03:20:56 "mm?"m?q 3- - azfec?dd?r? 37*} a" 2011 414?29 dhdc?l 'lUf'dUl'lL?S Case Page 35 of 105 IJ Case Page 36 of 105 Home Charts Stats ?e Summary Address 8 hart L: nk a TOOIS Transactions No. Transactions 2 Total Received Final Baiance ?1 1 Request Payment Donation Button Transactions ?i saw LSx?rgx?uz bi??e?xk . i" - r" ?a if? 7t? 87378 ?i 't Filter 2011-0327 02:29:26 2011-08-27 0 .226 Page 37 of 105 t: Case Documen on the 0W ONALD vs CHARLES Paga 1 01 avg? ?lia?gg?ggcace Registration 105114 or is attests titlilii?ille later-l4 erase emit?. 18 Page 38 of 105 Statutory Declaration OATHS ACT 1900, NSW, EIGHTH SCHEDULE l, Stephen of Level 3, 2 Bligh Street, Sydney, in the State of New South Wales, Solicitor, do solemnly and sincerely declare that: 1. i am the solicitor acting for Mr Craig Wright and Hotwire Pre?emptiye intelligence Pty Ltd. 2. On ?it October 20t3, Mr Wright came into my office and showed me his HTC mobile phone (Wright mobile). 3. On the screen of the Wright mobile, viewed and verified the following Bitcoln wallet addresses: (5) 1Jzz (ii) (iy) and (Bitcoin wallet addresses). 4. viewed the Bitcoin wallet addresses by scrolling down the screen on the Wright mobile. 5. It appeared to me that if Mr Wright wanted to, he could control all of, and make transactions in, the Bitcoin wallet addresses. 6. make this solemn declaration conscientiously believing the same to be true and by virtue of the provisions of the Oaths Act 1900. Declared at Sydney on 11 October 2013 - . the presence of an authorised witness, who states: l, Adrian Fong, a solicitor certify the following matters concerning the making of this statutory declaration by the person who made it: Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 39 of 105 I saw the face ofthe person; (ii) i have Known the person for at least 12 months. A. ong ?11 October 2013 i. Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 40 of 105 Craig 5 Wright From: BAA Program Support Office Sent: Wednesday, 2 March 2011 8:56 AM To: Craig S. Wright; Craig 5. Wright; Craig S. Wright Subject: BAA BAA 09-OO49-WP Upload Received Your upload has been received electronically at the DHS BAA Support Office. BAA 11?02 Proposal BAA Proposal Title: Risk Quantification Company Name: DEFENSE RESEARCH LLC White Paper Uploaded on: 03/01/11 04:55 PM EST File Name: BAA Risk Quantificationpdf File Type: Portable Document Format File Size: 357845 bytes Uploaded by: Craig S. Wright This is your official confirmation of receipt. Please save this email for your records, as no other receipt wili be provided. Thank you for your participation in the DHS BAA Program. Please login to the portal at If you have any questions, please contact DHS Technical Support at dhsbaa@reisys.com or call (703) 480?7676 Sincerely, DHS BAA Program Support .. . 1m . This is its arrears legef?fi?lawcaglnci: I I imagine PageioiQDaQ? mesmesnmn 0 Justice of the Peace Registration 105174 ENE Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 41 of 105 Craig Wright From: BAA Program Support Office Sent: Wednesday, 2 March 2011 9:00 AM To: Craig S. Wright; Craig S. Wright; Craig S. Wright Subject: BAA BAA 11-02-TTA Upload Received Your upload has been received electronically at the DHS BAA Support Office. BAA 11?02 Proposal BAA Proposal Title: Software Assurance through Economic Measures Company Name: INFO DEFENSE RESEARCH LLC White Paper Uploaded on: 03/01/11 04:59 PM EST File Name: BAA Software Assurance through Economic Measurespdf File Type: Portable Document Format File Size: 290708 bytes Uploaded by: Craig S. Wright This is your official confirmation of receipt. Please save this email for your records, as no other receipt will be provided. Thank you for your participation in the DHS BAA Program. Please login to the portal at If you have any questions, please contact DHS Technical Support at dhsbaaQreisyscom or call (703) 480-7676 Sincerely, DHS BAA Program Support Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 42 of 105 Crai 5 Wright From: BAA Program Support Office Sent: Wednesday, 2 March 2011 10:46 AM To: Wright, Craig S. Wright, Craig S. Wright, Craig S. Subject: Submission confirmation of your DHS BAA Program Proposal BAA Your proposal has been received electronically at the DHS Program Support Office. BAA 11?02 White Paper Proposal BAA Proposal Title: Software Assurance through Economic Measures Company Name: INFO DEFENSE RESEARCH LLC Proposal Details: Cover Sheet A completed on: 02/16/11 02:33 AM EST Cover Sheet completed on: 02/16/11 12:50 AM EST White Paper Upload completed on: 03/01/11 04:59 PM EST File Name: BAA Software Assurance through Economic Measures.pdf File Type: Portable Document Format File Size: 283 KB bytes Submitted electronically by: Wright, Craig S. This is your official confirmation of receipt. Please save this email for your records, as no other receipt will be provided. Thank you for your participation in the DHS BAA Program. Please login to the portal at If you have any questions, please contact DHS Technical Support at dhsbaaQreisyscom or call (703) 480?7676 Sincereiy, DHS BAA Program Support Qase Document 24-4 Entered on FLSD Docket 05/14/2018 Page 43 of 105 Craig Wrights From: BAA Program Support Office Sent: Wednesday, 2 March 2011 10:53 AM To: Wright, Craig S. Wright, Craig S. Wright, Craig S. Subject: Submission confirmation of your DHS BAA Program Proposal BAA 11-02-TTA Your proposal has been received electronically at the DHS Program Support Office. BAA 11-02 White Paper Proposal BAA 11-02-TTA 09-0049-WP Proposal Title: Risk Quantification Company Name: DEFENSE RESEARCH LLC Proposal Details: Cover Sheet A completed on: 02/16/11 02:30 AM EST Cover Sheet completed on: 02/16/11 01:22 AM EST White Paper Upload completed on: 03/01/11 04:55 PM EST File Name: BAA 11-02-TTA Risk Quantificationpdf File Type: Portable Document Format File Size: 349 KB bytes Submitted electronically by: Wright, Craig S. This is your official confirmation of receipt. Please save this email for your records, as no other receipt will be provided. Thank you for your participation in the DHS BAA Program. Please login to the portal at If you have any questions, please contact DHS Technical Support at dhsbaa@reisys.com or call (703) 480-7676 Sincerely, DHS BAA Program Support Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 44 of 105 Skig Navigation Boateiaari Seaway .W DHS Broad Agency Announcements (BAA) Program Portal BAA Home Basic Research Focus Areas High Priorityr Teohnoioqv Areas Solicitations Current Solicitations Past Solicitations Solicitation Awards Progosai Submission Awardee Portai News And Events Directorate Events ST Directorate Website Privacy Policy FAQs Program-Portal Registration Form Please do not register yourself MORE THAN sea. Program. Fill in your registration information below. If there are errors on the registration form, you will be asked to re-enter the Company MN and user password. (Note: For security reason, this page wit! expire after 20 minutes of inactivity.) Required Inform ation This is the annexu misf?rmedl on the ay (inseam Piaget oi?; 933? CH J?s?oe oi the P9339 a {r .. v. remission aslese?gjugai??au LES McBOti Registration 105174 Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 45 of 105 COMPANY INFORMATION *Company Name: INFO DEFENSE RESEARCH LLC TIN: 274997114 *Address (Line I4371 Norhtiake #314 E-mail us if you need to modify Address (Line 2): I the *City: Beach I State: FL *er+4: [3521?" - [seam Need heig for ?Phone: Company's Phone and Fax. Enter only numbers Fax: I *CEOIPresident's E?mail: Idave@davekieiman.com Q-digit Data Universal Number DUNS 4: I -I What: is System plus a 4?digit suffix given by parent concern CAGE Code: How do I geta src: What is a FICE: I What is a Company URL: Prowde URI- (http://Wwwexamplecom) *Year of Company Founded: *Company PEN: Why do you need a Should be all numeric; no blank WW spaces allowed. Length must be *Con?rm Company PIN: Famed. between 4-6 numbers. COMPANY POINT OF CONTACT INFORMATION *Salutation: I Mr. *First Name: Craigi Middle Initial: IS *Last Name: IWright *Title: ILead Researcher *Phone: I61 683 914 Ext: Enter only numbers Fax: I *E?mail Address: Important! Fill out carefully con?rm E'ma? Re-enter Email Address Address: USER INFORMATION I7 Check here if you are also the Company Point Of Contact. (This wilt ore?populate your information.) *Salutation: Wt. Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 46 of 105 *First Name: [Craig Middle Initial: [s *Last Name: ?Wright *Titte: [Lead Researcher *Phone: f61(417}883914 Ext: [m Enter only numbers Fax: 1 *E-mail Address: Important! Fill out carefully *Confirm E-mail Address. Recenter Emai; Address Only alphanumeric characters and underscores are ailowed. Username must be at least 8 characters. Use rna e: IC rai-gWri glitt- CO Your password must be at teast *Password: characters long and must have an upper case, a lower case, a number. and a special character. Your new password cannot *Confirm Password: repeat any ofyours previous passwords, Check here if you want to list yourself as a contact for PIN Contact: Company's PIN. Additional Authentication (used if you forget your passwo rd) You will be prompted with this question and a new password *Answer to above will be issued autornaticaily if lMysalf your answer matches the one queSt'O": you give here *Select your question: lWho is your favorite person? Required Information DHS Form 10025 (7/07) U.S. Department of Homeland Security Science 8e Technology 8&1" Directorate SBER Website OSDBU SAFETY Act SECURE Program Contact Us 0.0.0. Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 47 of 105 Craig 5 Wright From: Dave Kleiman .Sent: Wednesday, 16 February 2011 2:22 PM To: Cc: Subject: RE: Registration - Attachments: Info Defense Research LLC 08.pdf Importance: High Look over the attached real quickly. Let me know if it is ok. Or should the vendor on the list. Pay special attention to "Additional Authentication? Dave From: Craig 5 Wright Sent: Tuesday, February 15, 2011 22:04 To: Dave Kleiman Subject: RE: Registration TrAl 51 Cowangarra Rd Bagnoo, New South Wales, 2446 AU The other is not any longer Message?-?-- From: Dave Kleiman [mailtmdave@dayekleiman.com] Sent: Wednesday, 16 February 2011 1:08 PM To: Subject: RE: Registration Are either of these your current address? 51 Cowangarra Rd Bagnoo, New South Wales, 2446 AU Level 19, 2 Market Street Sydney, NSW 2000 Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 48 of 105 AU ?From: Dave Kieiman Sent: Tuesday, February 15, 2011 14:13 To: Subject: RE: Registration - It is under vendor registration that it requested DUNS see: Dave From: Dave Kieiman Sent: Tuesday, February 15, 2011 07:29 To: Subject: RE: Registration - Importance: High Last page of attached. Do you think I can list you as or with a foreign address, or you think they would kick it back? Dave -??--Originai Message-um- From: Dave Kleiman Sent: Tuesday, February 15, 2011 06:35 To: Subject: RE: Registration Did you already create a username and password? Message?m? From: Craig 8 Wright Sent: Tuesday, February 15, 2011 04:48 To: Dave Kleiman; Subject: Registration The first is to do with the attached TTA 01 - Software Assurance White paper titie Software assurance through economic measures (?Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 49 of 105 This also leads to the foilowing one with: 14 Software Assurance MarketPlace (SWAMP) White paper title Software derivative markets And inform ation Security risk markets Greyfog (last email) should also come under TTA 05 Secure, Resilient Systems and Networks Dr. Craig 5 Wright GSE?Malware, (SSE-Compliance, LLM, 8c information Defense Pty Mobile: 0417 683 914 Description: Logo4 Case Proposal White Paper BAA number, - Title of proposal; Name of offeror Administrative Contact: Company Name: Mailing Address (Line 1): Mailing Address (Line 2): City: State Zip Code: Phone: Fax: TIN: Technical Contact: Company Name: Mailing Address (Line 1): Mailing Address (Line 2): City: State Zip Code: Phone: Fax: TIN: Document 24-4 Entered on FLSD Docket 05/14/2018 Page 50 of 105 - 6-, 5. nth,? This 'is the lH? Wm mamm? ?liars-ritesom?at? - Pageto E339er HOLAS CHAR LE3 MONALD - Justice oi the Peace Registration 185174 (Type I) BAA 01 -0127-WP Softxnare Assurance through Economic Measures INFO DEFENSE RESEARCH LLC Dave Kleiman INFO DEFENSE RESEARCH LLC 4371 Norhtlake #314 Palm Beach FL 33410 6253 5613108801 NA 274997114 Craig Wright INFO DEFENSE RESEARCH LLC 4371 Norht'lake #314 Palm Beach FL 33410 - 6253 +612 43621512 NA 274997114 INFO DEFENSE RESEARCH LLC is a Joint Venture Company between a US Vet. Owned Enterprise and an Australian Research Company. Amount Requested (in dollars): Duration Requested Starting Date: Business Type: ileage 3365000000 36 months 07/04/201 1 Small Business Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 51 of 105 Executive Summary The de?ciency of published quantitative data on software development and systems design has been a major ground for software en ginecrin g?s failure to ascertain a proper scientific foundation. Past studies into coding practice have focused on software vendors. These developers have many distinctions from in-house projects that are not incorporated into the practices and do not align well with in-house corporate code development. In the past, building software was the only option but as the industry developed, the build vs. buy argument has swung back towards in-house development with the uptake of Internet connected systems. In general, this has been targeted towards specialized web databases and online systems with office systems and mainstream commercial applications becoming a ?buy? decision. As companies move more and more to using the web and as ?cloud applications? become accepted, de'veIOpment is becoming more common. This paper uses an empirical study of in-hou se software cod ing practices in Australian companies to both demonstrate that there is an economic limit to how far testing should proceed as well as noting the de?ciencies in the existing approaches. 1 .1 Related Work Other studies of coding processes and reliability have been conducted over the last few decades. The majority of these have been based either on studies of large systems and mainframe based operations or have analyzed software vendors. In the few cases where coding practices within individual organization have been quantitatively analyzed, the organizations have been nearly always large telecommunications firms or have focused on SCADA and other critical system providers. Whilst these results are extremely valuable, they fail to re?ect the state of affairs within the vast majority of organizations. With far more small to medium businesses coupled with comparatively few large organizations with highly focused and dedicated large scale development teams (as can be found in any software vendor), an analysis of in-house practice is critical to both security and the economics of in~house coding. As the internet becomes all persuasive, internal coding functions are only likely to become more prevalent and hence more crucial to the security of the organization. 1.2 Our contribution We intend to present an analysis using empirical studies to determine and model the cost of finding, testing and ?xing software bugs. We model the discovery of bugs or vulnerabilities in using quantitative functions and calculate the defect rate per SLOC (source line of codes) using Bayesian calculations. The end solution to the limited and sub?optimal markets that currently exist would be the creation of Hedge funds for software security. Sales in software security based derivatives could be created on forward contracts. One such solution is the issuing of paired contracts (such as zlragem Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 52 of 105 exist in short sales of stocks). The first contract would be taken by a user and would pay a ?xed amount if the software has suffered from any unmitigated vulnerabilities on the (forward) date speci?ed in the contract. The paired contract would cover the vendor. If the vendor creates software without flaws (or at least mitigates all easily determinable flaws prior to the inception of the contract) the contract pays them the same amount as the first contract. This is in effect a 'bet? that the software will perform effectively. if a bug is discovered, the user is paid a predetermined amount. This amount can be determined by the user to cover the expected costs of patching and any consequential damages (if so desired). This allows the user to select their own risk position by purchasing more or less risk as suits both the risk tolerance and the nature of the user's systems. Such a derivative (if an open market is allowed to exist) would indicate the consensus opinion as to the security of the software and the reputation of the vendor. Such an instrument would allow software vendors and users to hedge the risks faced by undiscovered software vulnerabilities. These instruments would also be in the interest of the software vendor's investors as the ability to manage risk in advance would allow for forward ?nancial planning and limit the negative impact that vulnerability discovery has on the quoted prices of a vendors capital. This project will model the security of software coding practices in a manner that will lead to fewer economic externalities Utility to of Homeland Security The game theoretic approach to this can be modeled looking at the incentives of the business and programming functions in the organization. Programmers are optimists. As Brooks noted, "the ?rst assumption that underlies the scheduling of systems programming is that all will go well". Testing is rarely considered by the normal programmer as this would imply failure. However, the human inability to create perfection leads to the introductions of flaws at each stage of development. Technical Approach Just as car dealers buff the exterior and detail the upholstery of a used car, neglecting the work that should be done on the engine, software vendors add features. Most users are unlikely to use even a small fraction of these features, yet they buy the product that offers more features over the more secure product with fewer features. The issue here is that users buy the features over security. This is a less expensive option for the vendor to implement and provide. The creation of a security and risk derivative should change this. The user would have an upfront estimate of the costs and this could be forced back to the software vendor. Where the derivative costs more than testing, the vendor would conduct more in?depth testing and reduce the levels of bugs. This would most likely lead to product differentiation (as occurred in the past with Windows 95/Windows NT). Those businesses who wish to pay for security could receive it. Those wanting features would get what they asked for. 3IPage Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 53 of 105 a It is argued that software developers characteristically do not correct all. the security vulnerabilities and that known ones remain in the product after release. Whether this is due to a lack of resources or other reasons, this is unlikely to be the norm and would be recti?ed by the market. The cost of vendors in share price and reputational losses exceed the perceived gains from technical reasons where the fix might break existing applications. The application is already broken in the instance of a security vulnerability. I Users could still run older versions of software and have few, if any, bugs. The issue is that they would also gain no new features. It is clear that users want features. They could aiso choose to use only secure so?ware, but the costs of doing so far outweigh the bene?ts and do not provide a guarantee against the security of a system being compromised. As such, the enforced legislation of security standards against software vendors is detrimental. A better approach would be to allow an open market based system where vendors can operate in reputational and derivative markets. At the end of any analysis, security is a risk function and what is most important is not the creation of perfectly security systems, but the correct allocation of scarce resources. Systems need to be created that allow the end user to determine their own acceptable level of risk based on good information. The goal of this research project is to create a series of quantitative models for information security that can be used to create a software security derivative and insurance market. Mathematical modeling techniques that can be used to model and predict information security risk will be developed using a combination of techniques including: - Economic theory, and Econometrics - Quantitative ?nancial modeling, - Behavioral Economics, - Algorithmic game theory and - Statistical hazard/ survival models. The models will account for heteroscedastic confounding variables and include appropriate transforms such that variance heterogeneity is assured in non?normal distributions. Process modeling for integrated Poisson continuous-time process for risk through hazard will be deveIOped using a combination of: - Business financial data (company accountancy and other records), Anti-Virus Industry data - Legal databases for tortuous and regulatory costs and Insurance datasets. This work and research follows and continues that published as: Wright, Craig S. and Zia, Tanveer A. (2010) The Economics of DeveZOpz'ng Security Embedded Software, Proceedings of the 8th Australian information Security Management Conference, Edith Cowan University, Perth Western Australia, 30th November 2010 AMP-age? Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 54 of 105 Charles Sturt University 10 &context=ism and Wright, Craig S. (2010) Sofhvare, Vendors and Reputation: an anaZysz?s of the dilemma in. creating secure sofnvare, Proceedings ofinTrust 2010 The Second International Conference on Trusted Systems 13th 15th December 2010 Beijing, P. R. China Charles Sturt University and (forthcoming) Wright, Craig S. and Zia, Tanveer A (201 Quantitative Anafysis into the Economics of Testing Software Bugs, Proceedings of 4th International Conference on Computational Intelligence in Security for Information Systems CISIS 201 1 June 8?10th, 201 1 Wright, Craig S. and Zia, Tanveer A (201 l)A Rationaily Opting for the Insecure Alternative: Negative Externolz'ries and the Selection of Security Controls, Proceedings of 4th International Conference on Computational Intelligence in Security for Information Systems CISIS 201 1 June 8-10th, 2011 Personnel and Performer Quali?cations and Experience Craig Wright (Full CV too long and is availabie in request) Over the years Craig has personally conducted and managed in excess of 1,600 1T security related engagements for more than 180 Australian and international organizations in both the private and government sectors. As a strong believer in life?long learning, Craig has quali?cations in Law, IT, Mathematics and Business. However, his driving focus is research and development in the security and risk arena. He is the ?rst person to have obtained multiple GSE certi?cations (Malware and Compliance) Craig designed the architecture for the world?s ?rst oniine casino (Lasseter?s Online) in the Northern Territory; as well he has, in the past, designed and managed the implementation of many of the systems that protect the Australian Stock Exchange. To add to these accomplishments he has authored IT security related books and articles as well as designed a new university program for Charles Sturt University in New South Wales, Australia which will offer a Master in Digital Forensics. This program commenced in 2010 and be offered as an on campus and distance education program. Dave Kleiman Dave Kieiman is a noted Forensic Computer Investigator, an author/coauthor of multiple books and a noted speaker at security related events Bob Radvanovsky, CIFI, CISM, REM, CIPS, Infracritical, inc. Principle, SCADA expert and Author (chapter author) of "Corporate Hacking and Technology-driven Crime: Social Dynamics and Implication", ISBN 1616928050 and 9781616928056, Information Science Publishing, July 2010. SIPage Case 9:18-cv-80176-BB Document 24-4 Entered on FLSD Docket 05/14/2018 Page 55 of 105 URL: 616928050 "Challenges Faced by the SCADASEC Mailing List?, Protecting Canada's Critical Infrastructure 2010 Control Systems Security Workshop, sponsored by Royal Canadian Mounted Police (Ontario Technological Crime), Public Safety Canada and Emergency Management Ontario (Critical Infrastructure Assurance Program), Wednesday April 14, 2010 and Thursday, April 15, 2010. URL: Author of "Critical Infrastructure: Homeland Security and Emergency Preparedness?, Second Edition, ISBN 1420095277 and 9781420095272, Taylor Francis CRC Press, December 2009. URL: Preparedness/dp/I 42009 5277 Contributor (introduction speaker) of ?The Year in Homeland Security?, 200812009 Edition (Charles Oldham, editor director), Faircount Media Group. URL: Author (co-author) of "Transportation Systems Security", ISBN 1420063782 and 97 81420063783, Taylor and Francis CRC Press, May 2008. URL: 782 Commercialization Capabilities and Plan The principies are experienced researchers and businessmen in the realm of Information Security. The research will be conducted in conjunction with Charles Sturt University and will follow the standard commercialization processes of the University (these processes are available online). Further, this project will create a large body of public and academic knowledge and scienti?c research that couid also be used by other companies and Universities in the creation of further models and structures that will lead to the securing of more systems again. Costs, Work, and Schedule Amount Requested (in dollars): $650,000.00 Duration: 3 6 months The ?nding request will provide full schoiarships and positions for three (3) candidates to aide in the research and investigation of software security issues and solution, the creation of economic models and the publication of an expected 20-30 papers in this ?eld. The period is set to three years which inciudes the completion of the projects and the creation of the market, insurance and derivative models. Funding $240,000 0 Supervision $180,000 0 Survey and data Analysis $230,000 . . Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 56 of 105 Title Date: BAA Number: BAA i Offeror Name: INFO DEFENSE RESEARCH LLC Software Assurance through Economic Measures 07/04/2010 Operational Capability: The project will analyze a sample of at least 1,000 coding projects using existing static analysis tools, manual code review and related techniques. Where these methods are lacking, proposals and methods to integrate existing methods and to ?ll the gaps ie? will be created. Proposed Technical Approach: This project will address and provide measures and The analysis will measure the following coding - Format string errors 0 Integer Over?ows Buffer overruns - SQL Injection 0 Cross-Site scripting 0 Race Conditions 0 Command injection. Several published papers have been released (forthcoming include) Wright, Craig S. and Zia, Tanveer A Quantitative Analysis into the Economics of Testing Software Bugs, Proceedings of 4th International Conference on Computational Intelligence in Security for information Systems CISIS 201i June 8-10th, 2011 Wright, Craig S. and Zia, Tanveer A Rationally Optingfor the Insecure Alternative: Negative Externalities and the Selection of Security Controls, Proceedings of 4th International Conference on Computational Intelligence in Security for Information Systems CISIS 2011 June 8?10th, 2011 Schedule, Cost, Deliverables, Contact Info: Provide any milestone decision points that will be required. Describe period of performance and total costs. include the base performance period cost and length, and estimates of cost and of possible option. Deiiverables: 20?30 published papers 3 Thesis? in the ?eld A commercial model for software derivatives and insurance markets A means to measure and predict the following coding errors is being developed Format string errors integer Over?ows Buffer overruns SQL Injection Cross-Site scripting Race Conditions Command Injection. Corporate Information: Dave Kleiman INFO DEFENSE RESEARCH LLC 4371 Norhtlake #314 Palm Beach FL 33410 - 6253 Phone: 5613108801 Email: dave@davekleiman.com Authorized Representative: Signature: Craig Wright ?it/M 7 Page Proposal White Paper BAA number, Title of proposal; Name of offeror Administrative Contact: Company Name: Mailing Address (Line 1): Mailing Address (Line 2): City: State Zip Code: Phone: Fax: TIN: Technical Contact: Company Name: Mailing Address (Line 1): Mailing Address (Line 2): City: State Zip Code: Phone: Fax: TIN: INFO DEFENSE RESEARCH LLC is a Joint Venture Company between a US Vet. Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 57 of 105 (Type 1) BAA 1_ 1-02-TTA 09-0049-WP Risk Quanti?cation INFO DEFENSE RESEARCH LLC Dave Kleiman INFO DEFENSE RESEARCH LLC 4371 Norhtlake Bivd #314 Palm Beach FL 33410 - 6253 5613108801 NA 2749971 14 Craig Wright ZNFO DEFENSE RESEARCH LLC 4371 Norhtlake #314 Palm Beach FL 33410 - 6253 +61243621512 NA 2749971 14 Owned Enterprise and.? 3 Australian Research Company. Amount Requested (in dollars): Duration: Requested Starting Date: Business Type: IlPage $2,200,000.00 36 months 07/04/201 1 Small Business Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 58 of 105 Executive Summary Using empirical evidence, this research aims to investigate and quantify the root cause of security ?aws that act as a source of system compromise. Research into the effects of poor system design, market based risk solutions based on derivative instruments and the impact of common system miscon?gurations wili be incorporated into multivariate survival models. This research incorporates the economic impact of various decisions as a means of determining the optimal distribution of costs and liability when applied to information security and in particular when assigning costs in computer system security and engineering. The objective of this research is to produce an innovative modelling architecture designed around information systems security and risk based reliability and survivability analysis. The objectives of the research are: (1) To address the critical limitations (.leanblanc Valchev, 2005) that are associated with reliability engineering in regards to computer systems. This will be completed with competing risks analysis and multivariate survival analysis coupled with a game theoretic approach. Data collected from an analysis of systems in the '?eid will be used to test assumptions. These assumptions (Marti, 2008) include: a. constant and homogenous failure rates, b. binary failure and univariate reliability, c. censoring of failure data, and d. independent failures. (2) To produce a methodology for the creation and testing of hazard and survival models for information systems. This will become a risk based quantitative approach to reliability and survivability engineering. (3) To incorporate methods that represent the effects of misaligned incentives and their consequence to security controls. To do this, it is necessary to recognise that information security is a risk function (Anderson, Longley Kwok, 1994). Paying for too much security can be more damaging in economic terms than not buying enough. This leads to decisions about where the optimal expenditure on damage prevention should lie. This research will investigate who should be responsible for the security failures that are affecting the economy and society and how can this be maximized in order to minimize negative externalities (Cohen, 1976). The conclusions will be presented using an empirical study of software hazard rates and audit failures along with the question of how to enforce liability in a giobal economy. The research is intended to address some of the economic issues that are arising due to an inability of assign risk correctly, a failure to measure risk as well as looking at the misalignment of information systems audit and the compliance regime. The externaiities that restrict the development of secure software and how the failure of the end user to apply controls makes it less probable that a software vendor will enforce stricter programming controls with failures in the audit and measurement processes are addressed. This includes a look at the misalignment of audit to security. This misalignment is demonstrated to result from the drawing of funds from security in order to provide compliance with little true economic gain (Wright, 2010). The introduction of Game Theory and Behavioural Economics (Anderson, 2001; Anderson, Moore, 2006; Varian, 2004) have created a foundation for the rationalisation of information security processes which lead to improved allocation of economic resources. The optimal distribution of economic resources across risk allocations in information system can only lead to Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 59 of 105 a combination of more secure systems for a lower overall cost. This research will incorporate the game theoretic multi-piayer decision problem. Agents in the model will be deemed to be rational with welhdefmed preferences, include the ability to reason strategically using their knowledge and belief of other players and to act according to a combination of both economic "?rst thought" and deep strategic thinking (Nissan, et. at, 2007). Solutions to these models will. be sought through a combination of the following game devices: a Equilibrium: evolutive (steady state) games a Heterogeneous sequential games - Rationalisability: deductive reasoning The models will detaii the existence of strictly dominating games where these exist in information security practices and propose methods to improve these models. Existing information security practices in existing organisations wiil be classi?ed into the following game types: - Non-cooperative vs. cooperative game 0 Strategic vs. extensive game 0 Perfect vs. imperfect information Bounded rationality, behavioural game aspects and other feedback effects will be investigated (Nissan, et. al., 2007). Social capital based on fairness and reciprocity wiil be de?ned as it applies to the economicaily ef?cient application of risk processes associated with Information systems. Contract Theory will be used to explain the creation of agreements and ?contracts? in the presence of information asymmetry. This is approached through the combination of adverse selection, moral hazards and the ?signalling game?. In this, adverse selection is de?ned as the ?Principal not having been informed of the other agent ?3 private information ex?anie? such as in George Airerlof?s ?Markeifor lemons? (i 970). This application of game theory has been asserted to explain. many aspects of the software industries predisposition to create insecure software (Anderson, 2001). Arora, Telang and Xu (2004) asserted that a market-based mechanism for software vulnerabilities would necessarily underperform a CERT-type mechanism. The market that they used was a game theoretic pricing game. In the model reported, the players in the market do not report their prices]. These players use a mode] where information is distributed simultaneously to the client of the player and the vendor. The CERT model was touted as being the most favourable solution. The research will demonstrate that the examined "nmrkei" model is in itself sub?optimal. It both creates incentives to leak information without proper safeguards and creates vulnerability black~markets that rely on waiting until a patch was publically released and only then releasing the patch to the public. This ignores many externalities and assumes the only control is a patch in place of other alternative compensating controls. It is to be demonstrated that there are flaws with this approach that can be solved through the creation of a security and risk derivative market for software. The user would have an upfront estimate of the costs and this could be forced back to the software vendor. Where the derivative costs more than testing, the vendor would conduct more in~depth testing and reduce the levels of bugs (Bacon et. 2009). 1.2 Our contribution and Technical Approach We intend to present an analysis using empirical studies to determine and model the cost of finding, testing and ?xing security vulnerabilities. The goal of this research project is to create a series of quantitative models for information security. Mathematical modelling techniques that iDefense Ltd. and other similar providers have a semi-closed market with limited information exchange. a Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 60 of 105 can be used to model and predict information security risk will be developed using a combination oftechniques including: Economic theory, and Econometrics 0 Quantitative ?nancial modelling, Behavioural Economics, 0 Algorithmic game theory and a Statistical hazard/survival models. The models will account for heteroscedastic confounding variables and include appropriate transforms such that variance heterogeneity is assured in non-normal distributions. Process modelling for integrated Poisson continuous-time process for risk through hazard will be deveIOped using a combination of: a Business financial data (company accountancy and other records), - Anti?Virus industry data 0 Legal databases for tortuous and regulatory costs and 0 Insurance datasets. This data will be coupled with hazard models created and validated using Honeynets Project Honeynet), reporting sites such as the Internet Storm Centre and iDefence. The combination of this information will provide the framework for a truly quantitative security risk frameworkz. At present, the DShield storm centre receives logging from over 600,000 organisations. This represents a larger quantity of data than is used for actuarial data in the home insurance industry. The problem being that this information is not collated or analysed in any quantitatively sound manner. This research will model survival times for types of applications using the body of research into quantitative code analysis for risk. The research will create a series of models (such as those used within mechanical engineering, material science etc) for Information Risk. Some of the methods that are planned testing in the creation of the risk framework will include: a Random forest clustering, - K?means analysis, Other classification algorithms, and a Network associative maps in text analysis forensic work. The correlation of reference data (such as IP and functional analysis data) between (COmmand and Control) systems used in ?bothers? is one aspect of this research. Starting from the outside (the cloud and perimeter) and working inwards to the network, the risk model would start by assessing external threats and move into internal threat sources, becoming gradually become more and more granular as one moves from network to individual hosts and finally to people (user behaviour (Varian, 2004)) and application modelling (Guo, Jarrow, Zeng, 2005). The eventual result will be the creation of a model that can incorporate the type of organisation, size, location, application, systems used, and the user awareness levels to create a truly quantitative risk model. This would be reported with SE (standard error) and confidence level rather than a point estimate. Code to import data from hosts and networks, using raw ?lncap traces'?3 will be developed such that system statistics and other data can be collated into a standardised format. This code will be developed in and This will enable the 2 Support has been sought and received from SANS (including DShield), CIS (Centre for internet Security) and the ?oneynetpn?ect 4 Page Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 61 of 105 creation and release of actuarial threat risk models that incorporate heterogeneous tendencies in variance across multidimensional determinants while maintaining parsimony. I foresee a combination of Heteroscedastic predictors etc) coupled with non?parametric survival models. I expect that this will result in a model where the underlying hazard rate (rather than survival time) is a function of the independent variables (covariates). Cox?s Proportional Hazard Model with Time?Dependent Covariates would be a starting point, going to non- parametric methods if necessary. The end goal will be to create a framework and possibly a program that can assess data stream based on a number of dependant variables (Threat models, system survival etc) and covariates and return a quanti?ed risk forecast and standard error. Utility to Department of Homeland Security When a system fails, it often can fail in numerous ways with several causes for the failure (Crowder 2001). Censored observation management can be considered the principal factor in?uencing survival analysis. Survival analysis and has developed rigorous procedures and methods effective for the treatment of censored data based on probability theory, counting and stochastic process as well as the Martingale central limit theorem. References to the univariate analysis of survival is found in Cox (1972), Cox and Oakes (1984), Fleming and Harrington (199i), Andersen et al (1993), Kalbfleisch and Prentice (1980, 2002), Klein and Moeschberger (2003), Ibrahim et al. (2005), Lawless.(l982, 2003), Ma and Krings (2008). Modeling risk allows it to be measured and controlled. This work and research follows and continues: Wright, Craig S. and Zia, Tanvecr A. (2010) The Economics ofDevelopz?ng Security Embedded SofMare, Proceedings of the 8th Australian Information Security Management Conference, Edith Cowan University, Perth Western Australia, 30th November 2010 Charles Sturt University 10 &context=ism and (forthcoming) Wright, Craig S. and Zia, Tanveer A (201 1) A Quantitative Analysis into the Economics of Testing Software Bugs, Proceedings of 4th International Conference on Computational Intelligence in Security for Information Systems CISIS 2011. June S-lOth, 2011 Wright, Craig S. and Zia, Tanveer A (201 l) A RationaZZy Optingfor the Insecure Alternative: Negative Externalirz'es and the Selection of Security Controls, Proceedings of 4th International Conference on Computational Intelligence in Security for Information Systems CISIS 201 1 June 8-10th, 2011 Personnel and Performer Quali?cations and Experience Craig Wright (Full CV too long and is available in request) Over the years Craig has personally conducted and managed in excess of 1,600 IT security related engagements for more than 180 Australian and international organizations in both the private and government sectors. As a strong believer in life-long learning, Craig has qualifications in Law, IT, Mathematics and Business. However, his driving focus is research and development in the security and risk arena. He is the ?rst person to have obtained multiple GSE certi?cations (Malware and Compliance) Craig designed the architecture for the world?s first online casino (Lasseter?s Online) in the Northern Territory; as well he has, in the past, designed and managed the implementation of many of the systems that protect the Australian Stock Exchange. To add to these accomplishments he has authored 1T security related books and articles as well as designed a new university program for Charles Sturt University in SIPag'e' Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 62 of 105 New South Wales, Australia which will offer a Master in Digital Forensics. This program commenced in 2010 and be offered as an on campus and distance education program. Dave Kleiman Dave Kleiman is a noted Forensic Computer Investigator, an author/coauthor of multiple books and a noted speaker at security related events Bob Radvanovsky, ClFl, CISM, REM, lnfracritical, Inc. Principle, SCADA expert and Author URL: Implications/dp/l 616928050 URL: 0?review.zip URL: Preparedness/dp/l 420095277 URL: URL: 1 420063782 Commercialization Capabilities and Plan The principles are experienced researchers and businessmen in the realm of Information Security. The research will be conducted in conjunction with Charles Sturt University and will follow the standard commercialization processes of the University (these processes are available online). Further, this project will create a large body of public and academic knowledge and scienti?c research that could also be used by other companies and Universities in the creation of further models and structures that will lead to the securing of more systems again. Costs, Work, and Schedule Amount Requested (in dollars): $2,200,000.00 Duration: 36 months The funding request will provide full scholarships and positions for three (3) candidates to aide in the research and investigation of software security issues and solution, the creation of economic models and the publication of an expected 20-30 papers in this ?eld. The period is set to three years which includes the completion of the projects and the creation of the market, insurance and derivative models. Funding $480,000 - Supervision $350,000 - Survey and data Analysis $230,000 - Research Fellowships (2) $260,000 - Administration $120,000 - Costs (Computational Systems) $660,000 - Support Costs (Coding) $300,000 6 a Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 63 of 105 BAA Number: BAA Offeror Name: INFO DEFENSE RESEARCH LLC Title Risk Quanti?cation Date: 07/04/2010 Operational Capability: The research is intended to address some of the economic issues that are arising due to an inability of assign risk correctly, a failure to measure risk as well as looking at the misalignment of information systems audit and the compliance regime. The externaliti es that restrict the development of secure software and how the failure ofthe end user to apply controls makes it less probable that a software vendor will enforce stricter programming controls with failures in the audit and measurement processes are addressed. This includes a look at the misalignment of audit to security. This misalignment is demonstrated to result from the drawing of funds from security in order to provide compliance with little true economic gain (Wright, 2010). Proposed Technical Approach: Schedule, Cost, Deliverables, Contact Info: The objective of this research is to produce an Deiiverables: innovative modeling architecture designed 30,40 published papers around information systems security and 3 Thesis, in the ?eld based reliability and survivability analysisObjectives of the research are: A commerc1al model for modeling information risk (I) To address the critical limitations (Eeanblanc Valchev, 2005) that are associated Several published papers have been released with reliability engineering in regards to (forthcoming include) computer systems. This will be completed with wri g1?, Craig and Zia, Tanveer A (201 1) A competing fiSkS and multivariate Quantitative Analysis into the Economics of Testing 5111? Vival Gimpled With a game thematic Software Bugs, Proceedings of CISIS 201 1 June 8- approach. Data collected from an analysis of 10th? 201 1 SyStemS in the ?eld Will be u.Sed to teSt. Wright, Craig S. and Zia, Tanveer A (2011) A issumpt?ons' These (Mam? 2008) Rationally Opting for the Insecure Alternative: Include: Negative Externalities and the Selection of Security a- 00mm?? and homogemus failure rates: Controls, Proceedings of CISIS 20l l, 201 b. binary failure and univariate reliability, Corporate Information: 0. censoring of failure data, and Dave Kteiman d- independent failures was; INFO DEFENSE RESEARCH LLC (2) To produce a methodology for the 4371 Norhtlake #314 creation and testing pf hazard and surv1val Palm Beach models for Information systems. This Will become a risk based quantitative approach to FL 33410 625 '3 reliability and survivability engineering. Phone: 5613108801 (3) To incorporate methods that represent Email: dave@davekleiman.com the effects of misaligned incentives and their consequence to security controls. Authorized Representative: Craig Wright dig/Xe Signature: Proposal White Paper BAA number, 0 Title of progesal; Name of offeror Administrative Contact: Company Name: Mailing Address (Line 1): Mailing Address (Line 2): City: State Zip Code: Phone: Fax: TIN: Technical Contact: Company Name: Mailing Address (Line 1): Mailing Address (Line 2): City: State Zip Code: Phone: Fax: TIN: Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 64 of 105 (Type I) BAA -02-TTA Software Derivative Markets Information Security Risk INFO DEFENSE RESEARCH LLC Dave Kleiman INFO DEFENSE RESEARCH LLC 4371 Norhtiake #314 Palm Beach FL 33410 6253 5613108801 NA 274997114 Craig Wright INF DEFENSE RESEARCH LLC 4371 Norhtlake #314 Palm Beach FL 33410 - 6253 +612 43621512 NA 274997114 INFO DEFENSE RESEARCH LLC is a Joint Venture Company between a US Vet. Owned Enterprise and 21 Australian Research Company. Amount Requested (in dollars): Duration: Requested Starting Date: Business Type: . $1,200,000.00 36 months 07/04/2011 Small Business /7 Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 65 of 105 Executive Summary This project will develop the Optimal derivative and risk strategy for software markets. A game theoretic approach to this will be modeled looking at the incentives of the business and programming functions in the organization. Programmers, as optimists (Brooks) hold, "the first assumption. that underlies the scheduling of systems programming is that all will go well". Testing is rarely considered by the normal programmer as this would imply failure. However, the human inability to create perfection leads to the introductions of ?aws at each stage of development. This project will deliver frameworks designed to optimize the software development process and to sell the risk using a derivative market place that reflects this risk. The end goal is to remove externalities from the costs of software and incorporate the cost of bad software design into the ?nal cost to the consumer. The deficiency of published quantitative data on software deveIOpment and systems design has been a major ground for software engineering?s failure to ascertain a proper scienti?c foundation. Past studies into coding practice have focused on software vendors. These developers have many distinctions from in-house projects that are not incorporated into the practices and do not align well with in-house corporate code development. In the past, building software was the only option but as the industry developed, the build vs. buy argument has swung back towards innhouse development with the uptake of Internet connected systems. In general, this has been targeted towards specialized web databases and online systems with office systems and mainstream commercial applications becoming a ?buy? decision. As companies move more and more to using the web and as ?cloud applications? become accepted, in?house development is becoming more common. This paper uses an empirical study of in-house software coding practices in Australian companies to both demonstrate that there is an economic limit to how far testing should proceed as well as noting the deficiencies in the existing approaches. 1.1 Related Work and our contributions This research will seek to demonstrate that a well?defined software risk derivative market would improve the information exchange for both the software user and vendor removing the oft touted imperfect information state that is said to belie the software industry. In this way, users could have a rational means of accuratelyjudging software risks and costs and as such the vendor could optimally apply their time between delivering features and averting risk in a manner demanded by the end user. After all, it is of little value to increase the cost per unit of software by more than an equal compensating control. necessarily underperform a CERT-type mechanism. The market that they used was a game theoretic pricing game. In the model reported, the players in the market do not report their prices. These players use a model where information is simultaneously distributed to the client of the player and the vendor. The CERT model was touted as being optimal. It relies on waiting until a patch was publically released and only then releasing the patch to the public. This ignores many externalities and assumes the only control is a patch in place of other alternative compensating Consequently, the examined "market" model is in itself sub-optimal. It both creates incentives to leak information without proper safeguards and creates vulnerability black-markets. As criminal groups and selected security vendors (such as Penetration testers and IDS vendors) have an incentive to gain information secretly, they have an incentive to pay more for unknown vulnerabilities in a closed market. This means that a seller to one of these parties has a ZIPage Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 66 of 105 reputational incentive to earn more through not releasing information as the individual's reputation will be based on their ability to maintain secrecy. "Vulnerability disclosure adversely and signi?cantly affects the stock performance of a software vendor. We show that, on average, a software vendor loses around 0.63% of market value on the day of the vulnerability announcement. This translates to a dollar amount of $0.86 billion loss in market value. We also show that markets do not penalize a vendor any more if the vulnerability is discovered by a third party than by the vendor itself." These results demonstrate that a vendor has an incentive to minimize the vulnerabilities found in their products. If an excessive number of vulnerabilities continue to impact a vendor, their market capitalization suffers as a consequence- This justification offers strong evidence that a vendor does not have an incentive to hide information (as third party vulnerability researchers cause an equal loss in capitalization). it has to be expected that any vulnerability known by the vendor will be uncovered. if the vendor fixes this flaw before release, the cost is minimized and at the limit approaches the cost of testing, (that is a zero incremental cost to that which would be expressed later). If the vendor discovers a vulnerability in the software they produce, the result is a 'strongly dominated' motive to ?x the bug. Hence, any remaining bugs are those that have not been uncovered by the vendor and which are less economical to ?nd (through an increase in testing . It can thus be demonstrated that the vendor knows no more than the user at the point of software release as to the state of bugs in a product. Testing is far less expensive earlier in the development cycle. Early in the process, the software developer has the greatest returns in testing and bug finding. As the development progresses, the returns are reduced as the process required and the costs associated with finding and correcting software vulnerabilities increases. The utility is lowest when the software has been shipped to the user. At this point, ?xing ?aws is an expensive process for both the user and the vendor. This leaves the optimal solution to ?nd as many bugs as possible as early in the development process as is feasible. This contrasts with the increasing costs of ?nding bu gs. This leaves the optimal solution for the vendor based on the discovery of as many bugs as possible as early in the development process as is feasible (as a bug discovered early in the process can cost as much as 10x less than one discovered later) . It does not mean that all bugs or vulnerabilities will be found as the cost of ?nding additional vulnerabilities quickly exceeds the returns. The market for lemons requires that the vendor knows the level of flaws better than the user. To many this may seem a common sense outcome, the vendor has access to source code, wrote the program and ran the development process. This is a flawed view as we have demonstrated as it is in the vendor?s interest to mitigate vulnerabilities as early as possible. More importantly, the vendor is punished for bugs. 1.2 Our contribution We intend to present an. analysis using empirical studies to determine and model the cost of ?nding, testing and ?xing software bugs. We model the discovery of bugs or vulnerabilities in using quantitative functions and calculate the defect rate per SLOC (source line of codes) using Bayesian calculations. The end solution to the limited and sub-optimal markets that currently exist would be the creation of Hedge funds for software security. Sales in software security based derivatives could be created on forward contracts. One such solution is the issuing of paired contracts (such as exist in short sales of stocks The ?rst contract would be taken by a user and would pay a ?xed 3. I..P a . . Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 67 of 105 amount if the software has suffered from any unmitigated vulnerabilities on the (forward) date speci?ed in the contract. The paired contract would cover the vendor. If the vendor creates software without flaws (or at least mitigates all easily determinable flaws prior to the inception of the contract) the contract pays them the same amount as the first contract. This is in effect a 'bet' that the software will perform effectively. If a bug is discovered, the user is paid a predetermined amount. This amount can be determined by the user to cover the expected costs of patching and any consequential damages (if so desired). This allows the user to select their own risk position by purchasing more or less risk as suits both the risk tolerance and the nature of the user's systems. Such a derivative (if an open market is allowed to exist) would indicate the consensus opinion as to the security of the software and the reputation of the vendor. Such an instrument would allow software vendors and users to hedge the risks faced by undiscovered software vulnerabilities. These instruments would. also be in the interest of the software vendor's investors as the ability to manage risk in advance would allow for forward financial planning and limit the negative impact that vulnerability discovery has on the quoted prices of a vendors capital. This project will model the security of software coding practices in a manner that will lead to fewer economic externalities Utility to Department of Homeland Security In economic terms, we want to assign liability such that the Optimal damage mitigation strategy occurs. The victim will mitigate their damages where no damages for breach apply in respect of the optimal strategy and payoffs. The rule that creates the best incentives for both parties is the doctrine of avoidable consequences (marginal costs liability). Mitigation of damages is concerned with both the post?breach behaviors of the victim and the actions of the party to minimize the impact of a breach. In a software parlays?, this would incur costs to the user of the software in order to adequately secure their systems. This again is a trade- off. Before the breach (through software failures and vulnerabilities that can lead to a violation of a system's security), the user has an obligation to install and maintain the system in a secure state. The user is likely to have the software products of several vendors installed on a single system. Because of this, the interactions of the software selected and installed by the user span the range of multiple sources and no single software vendor can account for all possible combinations and interactions. Any prev-breach behavior of the vendor and user of software needs to incorporate the capability of the vendors to both minimize the liability attached to their own products, as well as the interactions of other products installed on a system. It is feasible to deploy one of several options that can aid in the minimization of the effects of a breach due to a software problem prior to the discovery of software vulnerabilities, these include: 1. The software vendor can implement protective controls (such as firewalls) 2-. The user can install protective controls 3. the vendor can provide accounting and tracking functions The following steps further facilitate in minimizing the effects of software vulnerabilities: 1. The vendor can employ more people to test software for vulnerabilities 2. The software vendor can add additional controls Where more time is expended on the provision of software security by the vendor (hiring more testers, more time writing code etc), the cost of the software needs to re?ect this additional effort, hence the cost to the consumer increases. This cost is divisible in the case of a widely deployed Operating System (such as Microsoft Windows) where it is easy to distribute the dlpa?g e? Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 68 of 105 incremental costs across additional users. Smaller vendors (such as small tailored vendors for the Hotel accounting market) do not have this distributional margin and the additional controls could result in a substantial increase in the cost of. the program. Technical Approach The goal of this research project is to create a series of quantitative models for information security that can be used to create a software security derivative and insurance market. Mathematical modeling techniques that can be used to model and predict information security risk will be developed using a combination of techniques including: - Economic theory, and Econometrics - Quantitative ?nancial modeling, - Behavioral Economics, - Algorithmic game theory and Statistical hazard/survival models. The models will account for heteroscedastic confounding variables and include appropriate transforms such that variance heterogeneity is assured in non-normal distributions. Process modeling for integrated Poisson continuous-time process for risk through hazard will be developed using a combination of: Business ?nancial data (company accountancy and other records), - Anti-Virus industry data Legal databases for tortuous and regulatory costs and - Insurance datasets. This work and research follows and continues that published as: Wright, Craig S. and Zia, Tanveer A. (2010) The Economics of Deveiogying Security Embedded Software, Proceedings of the 8th Australian information Security Management Conference, Edith Cowan University, Perth Western Australia, 30th November 2010 Charles Sturt University 101&context=ism and Wright, Craig S. (2010) Software, Vendors and Reputation: an analysis ofihe dilemma in creating secure sofnaare, Proceedings of InTrust 2010 The Second International Conference on Trusted Systems 13th 15th December 2010 Beijing, P. R. China Charles Sturt University and (forthcoming) Wright, Craig S. and Zia, Tanveer A (2011) A Quantitative Analysis into the Economics of Testing Software Bags, Proceedings of 4th international Conference on Computational Intelligence in Security for Information Systems 2011 June 8~10th, 20l 1 Wright, Craig S. and Zia, Tanveer A (201 A Raiionally Opiingfor the Insecure Alternative: Negative Exiemaiities and the Selection ofSecarity Controls, 2011 June 8-10th, 2011 Personnel and Performer Qualifications and Experience Craig Wright (Full CV too long and is available in request) Over the years Craig has personally conducted and managed in excess of 1,600 lT security related engagements for more than 180 Australian and international organizations in both the private and government sectors. As a strong believer in life-long learning, Craig has quali?cations in Law, 1T, Mathematics and Business. However, his driving focus is research and development in the security and SIPage Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 69 of 105 risk arena. He is the ?rst person to have obtained multiple GSE certi?cations (Malware and Compliance) Craig designed the architecture for the world?s first online casino (Lasseter?s Online) in the Northern Territory; as well he has, in the past, designed and managed the implementation ot?many of the systems that protect the Australian Stock Exchange. To add to these accomplishments he has authored IT security related books and articles as well as designed a new university program for Charles Sturt University in New South Wales, Australia which will offer a Master in Digital Forensics. This program commenced in 2010 and be offered as an on campus and distance education program. Dave Kleiman Dave Kleiman is a noted Forensic Computer investigator, an author/coauthor of multiple books and a noted speaker at security related events Bob Radvanovsky, CIFI, CISM, REM, CIPS, Infracritical, inc. Principle, SCADA expert and Author (chapter author) of "Corporate Hacking and Technology?driven Crime: Social Dynamics and URL: 1616928050 URL: infracritical .ccm/pap ers/scadas 60-201 O-reviewzip URL: Preparedness/dp/l 420095277 URL: URL: 1420063 782 Commercialization Capabilities and Plan The principles are experienced researchers and businessmen in the realm of Information Security. The research will be conducted in conjunction with Charles Sturt University and will follow the standard commercialization processes of the University (these processes are available online). Further, this project will create a large body of public and academic knowledge and scienti?c research that could also be used by other companies and Universities in the creation of further models and structures that will lead to the securing of. more systems again. Costs, Work, and Schedule Amount Requested (in dollars): $1,200,000.00 Duration: 36 months The funding request will provide full scholarships and positions for three (3) candidates to aide in the research and investigation of software security issues and solution, the creation of economic models and the publication of an expected 20-30 papers in this field. The period is set to three years which. includes the completion of the projects and the creation of the market, insurance and derivative models. Funding $360,000 - Supervision $180,000 - Survey and data Analysis $220,000 0 Administration $120,000 Core Systems $220,000 - Marketing of system and test use $100,000 Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 70 of 105 BAA Number: BAA 01-0127-WP Offeror ame: INFO DEFENSE RESEARCH LLC Title So?ware Derivative Markets Information Security Risk BAA l'lu02-TTA Date: 07/04/2010 NA Operational Capability: The project test, develop and test a combination of insurance and derivative based risk markets for both software security and information risk minimization. Proposed Technical Approach: This project will address and provide measures and The analysis will measure the following coding errors: 0 Format string errors 0 Integer Over?ows Buffer overruns 0 SQL Injection 0 Cross-Site scripting 0 Race Conditions 0 Command injection. In addition, market models for selling vulnerabilities will be developed and tested. A first stage vulnerability and risk marketplace will be deveIOped. Several published papers have been released (forthcoming include) Wright, Craig S. and Zia, Tanveer A (201 l) A Quantitative Analysis into the Economics of Testing Sofnvare Bugs, Proceedings of 4th International Conference on Computational Intelligence in Security for Information Systems CISIS 2011 June 8-10th, 201 1 Wright, Craig S. and Zia, Tanveer A (201 DA Rationally Optingfor the Insecure Alternative: Negative Externalirfes and the Selection of Security Controls, Proceedings CISIS 2011 June 8-10th, 2011 Schedule, Cost, Deliverables, Contact Info: This project will develop the optimal derivative and risk strategy for software markets. A game theoretic approach to this will be modelled looking at the incentives of the business and programming functions in the organization. Programmers, as optimists (Brooks, hold, "the first assumption that underlies the scheduling of systems programming is that all will go well". Testing is rarely considered by the normal programmer as this would imply failure. However, the human inability to create perfection leads to the introductions of ?aws at each stage of development. This project will deliver frameworks designed to optimize the software development process and to sell the risk using a derivative market place that reflects this risk. The end goal is to remove externalities from the costs of software and incorporate the cost of bad software design into the final cost to the consumer. Deliverables: 2060 published papers 3 Thesis' in the field A commercial model for software derivatives and insurance markets Corporate Information: Dave Kleiman INFO DEFENSE RESEARCH LLC 4371 Norhtlake #314 Palm Beach FL 33410 - 6253 Phone: 5613108801 Email: dave@davekleiman.com Authorized Representative: Craig Wright Signature: 7 Page Proposal White Paper BAA number, Title of proposal; Name of offeror Administrative Contact: Company Name: Mailing Address (Line 1): Mailing Address (Line 2): City: State Zip Code: Phone: Fax: TIN: Technical Contact: Company Name: Mailing Address (Line 1): Mailing Address (Line 2): City: State Zip Code: Phone: Fax: TIN: INFO DEFENSE RESEARCH LLC is a Joint Venture Company between a US Vet. Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 71 of 105 (Type II) BAA 1 OS-OISS-WP SCADA Isolation INFO DEFENSE RESEARCH LLC Dave Kleiman INFO DEFENSE RESEARCH LLC 4371 Norhtlake #314 Palm Beach FL 33410 - 6253 5613108801 NA 274997114 Craig Wright INFO DEFENSE RESEARCH LLC 4371 Norhtlake #314 Palm Beach FL 33410 - 6253 +61243621512 NA 2749971 14 Owned Enterprise and a Australian Research Company. Amount Requested (in dollars): Duration: Requested. Starting Date: Business Type: $1,800,000.00 36 months 07/04z?201 1 Small Business Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 72 of 105 Executive Summary This project involves the creation of a SCADA targeted ?lter. This ?lter will act as a security gateway allowing users to access legacy systems that do not support modern protocols to do so whist not having to interfere with theexisting system. At the same time, advanced threats and Malware (such as STUXNET) will be isolated from the systems using a bridged ?rewall layer. This system will in itself be isolated and resilient and be capable of reliable action when power and other failures occur. it will collate and report attacks seamlessly allowing Internet connected management and monitoring systems to co-exist on treacherous networks in a cloud environment. The Revenant device is an embedded Linux~based appliance with an RFC compliant lPSec and Stateful ?rewall implementation built into the kernel. It is built using embedded Linux and is completely solid state with no moving parts to fail and no hard drive. It also utilises kernel-based lPSec. Designed as an appliance, this system is modular and highly con?gurable, requiring a small physical, CPU and memory footprint. The Revenant appliance platform provides a base set of services and functions as an operating environment for many security conscious network based applications. The Appliance provides built-in SSHV2 Secure Remote Management, text based management and power?off safe operation. - Basic Management and upkeep of Revenant System Life-Cycle comprises: - Security Patch updates System and Application updates System health-check and maintenance - System Security Integrity maintenance Revenant embodies an imbedded, appliance architecture with a strong bias towards out-of?band authentication and other network applications. Two primary products have been designed at this point, with expansion into additional modules planned for the future. - Revenant Private Network Gateway - The Revenant EPN Gateway provides a platform for performing iPSec in several con?gurations: Network-to-Network 2) Host?to?Network 3) Host-to-Host 4) Revenant - The Revenant application is also capable of providing a platform for an sensor. The Revenant appliance platform provides a base set of services and functions as an operating environment for many security conscious network based applications. The Appliance provides built-in Secure Remote Management, Text based management and power?off safe operation Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 73 of 105 The Revenant appliance has been built with size, performance and security as primary goals, and as a result of this, the system does not run any network accessible processes except those required by specifically installed modules. The Revenant platform offers no intrinsic network access paths, and is not accessible on the network unless one of the network modules has been installed. The Revenant system does not load any network accessible functionality except as required by the appliance modules loaded in any specific configuration. The Revenant Measurement appliance is an strong authentication and connection gateway system. Measurement is an access concentrator, which performs strong authentication of user requests. In a security conscious environment, the Measurement allows an organization to effectively provide wide-ranging access to systems or services through a single, secure access path. The Revenant appliance is a perfect platform for Measurement services due to the security functions and services built into the base system. 1.1 Related Work and our contributions This project involves the creation of a SCADA targeted ?lter. This ?lter will act as a security gateway allowing users to access legacy systems that do not support modern protocols to do so whist not having to interfere with the existing system. At the same time, advanced threats and Malware (such as STUXNET) will be isolated from the systems using a bridged ?rewall layer. This system will in itself be isolated and resilient and be capable of reliable action when power and other failures occur. It will collate and report attacks seamlessly allowing Internet connected management and monitoring systems to co-exist on treacherous networks "in a cloud environment. Technical Approach A PCap module written in and that can take direct network feeds and report on anomalous traf?c (with a learning feature and feedback cycle to minimize error with use) will be developed with the appliance. This work and research follows and continues that published as: Wright, Craig S. and Zia, Tanveer A. (2010) The Economics of Developing Security Embedded Software, Proceedings of the 8th Australian Information Security Management Conference, Edith Cowan University, Perth Western Australia, 30th November 2010 Charles Sturt University 101 &context=ism and Wright, Craig S. (2010) So?ware, Vendors and Reputation: an analysis ofthe dilemma in creating secure sofnvare, Proceedings of InTrust 20 0 The Second International Conference on Trusted Systems 13th 15th December 2010 Beijing, P. R. China Charles Sturt University 3 a e- Case 9:18-cv-80176-BB Document 24-4 Entered on FLSD Docket 05/14/2018 Page 74 of 105 and (forthcoming) Wright, Craig S. and Zia, Tanveer A (20} 1) A Quantitative Analysis into the Economics of Testing Sofheare Bugs, Proceedings of 4th International Conference on Computational Intelligence in Security for Information Systems CISIS 2011 June 8-10th, 2011 Wright, Craig S. and Zia, Tanveer A. (201 Rationofiy Optingfor the Insecure Alternative: Negative Externalz?ries and the Selection of Security Controls, 201 1 June 8-10th, 2011 Personnel and Performer Quali?cations and Experience Craig Wright (F uil CV too long and is available in request) Over the years Craig has personally conducted and managed in excess of 1,600 1T security related engagements for more than 180 Australian and international organizations in both the private and government sectors. As a strong believer in iife-long learning, Craig has quali?cations in Law, IT, Mathematics and Business- However, his driving focus is research and deveIOpment in the security and risk arena. He is the ?rst person to have obtained multiple GSE certi?cations (Malware and Compliance) Craig designed the architecture for the world?s ?rst online casino (Lasseter?s Online) in the Northern Territory; as well he has, in the past, designed. and managed the implementation of many of the systems that protect the Australian Stock Exchange. To add to these accomplishments he has authored IT security related books and articles as well as designed a new university program for Charles Sturt University in New South Wales, Australia which wiil offer a Master in Digital Forensics. This program commenced in 2010 and be offered as an on campus and distance education program. Dave Kleiman Dave Kleiman is a noted Forensic Computer Investigator, an authorfcoauthor of multiple books and a noted speaker at security related events Bob Radvanovsky, CIFI, CISM, REM, infracritical, Inc. Principle, SCADA expert and Author (chapter author) of "Corporate Hacking and Technology-driven Crime: Social Dynamics and URL: I 6 I 6928050 URL: URL: 420095277 URL: URL: 420063782 Commercialization Capabilities and Plan The principies are experienced researchers and businessmen in the realm of Information Security. The research will be conducted in conjunction with Charles Sturt University and will follow the standard commercialization processes of the University (these processes are availabie online). Further, this project wiil create a iarge body of public and academic knowledge and scienti?c research that could also be used by other companies and Universities in the creation of further models and structures that wili lead to the securing of more systems again. mags" Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 75 of 105 Costs, Work, and Schedule Amount Requested (in doilars): $1,800,000.00 Duration: The funding request will provide full scholarships and positions for two (2) candidates to aide in the research and investigation of security issues and solution, the creation of software and IDS tools in this field. The period is set to three years which includes the completion of the projects and the creation of the appliance and related open source software. 36 months Funding $240,000 Supervision $180,000 Survey and data Analysis $120,000 Administration $120,000 Core Systems $220,000 Marketing of system and test use $100,000 Software coding $340,000 Electronics and System $480,000 ?Page Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 76 of 105 BAA Number: BAA OS-OTSS-WP Offeror Name: DEFENSE RESEARCH LLC Title SCADA Isolation Date: 07/04/2010 Operational Capability: The project test, develop and test a set of so?ware and hardware solutions developed to minimize attacks again SCADA systems. Proposed Technical Approach: Schedule, Cost, Deliverables, Contact Info: This project will provide a low cost, high This proj ect involves the creation of a SCADA availability and security SCADA security solution targeted ?lter. This ?lter will act as a security through: gateway allowing users to access legacy systems I System inventory management that do not support modern protocols to Firewall do so whist not having to interfere with the existing 0 Antiwirus amicmamare system. At the same time, advanced threats and . Forensic network capture Malware (such as STUXNET) will be isolated from . 11) property protection and the systems using a bridged ?rewall layer. This system wiil in itself be isolated and resilient and be capable of reliable action when power and other failures occur. It will collate and report attacks seamlessly allowing Internet connected extrusion reporting Risk quanti?cation Advanced traf?c ?ltering and data capture . . . The idea to be patented advanced management and monitoring systems to co-ex13t on treacherous networks in a cloud envrronment. EDS honeypot Deliverables: 5-10 published papers 2 Thesis' in the ?eld A commercial appliance A filter program Corporate Information: Dave Kleiman INFO DEFENSE RESEARCH LLC 4371 Norhtlake #314 Palm Beach FL 33410 - 6253 Phone: 5613108801 Email: dave@davekleiman.com Authorized Representative: Craig Wright Signature: BlPage Preposal White Paper BAA number, - Title of prom Name of offeror Administrative Contact: Company Name: Mailing Address (Line 1): Mailing Address (Line 2): City: State Zip Code: Phone: Fax: TIN: Technical Contact: Company Name: Mailing Address (Line 1): Mailing Address (Line 2): City: State Zip Code: Phone: Fax: TIN: INFO DEFENSE RESEARCH LLC is a Joint Venture Company between a US Vet. (Type I) BAA 1 1-02-TTA Risk Quanti?cation INFO DEFENSE RESEARCH LLC Dave Kleiman INFO DEFENSE RESEARCH LLC 4371 Norhtlake #314 Palm Beach FL 33410 - 6253 5613108801. NA 274997114 Craig Wright INFO DEFENSE RESEARCH LLC 4371 Norhtlake #314 Palm Beach FL 33410 6253 +61243621512 NA 2749971 14 Owned Enterprise and a Australian Research Company. Amount Requested (in dollars): Duration: Requested Starting Date: Business Type: Image $2,200,000.00 36 months 07/041201 1 Small Business Case 9:18-cv-80176-BB Document 24-4 Entered on FLSD Docket 05/14/2018 Page 77 of 105 Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 78 of 105 Executive Summary Using empirical evidence, this research aims to investigate and. quantify the root cause of security flaws that act as a source of system compromise. Research into the effects of poor system design, market based risk solutions based on derivative instruments and the impact of common system miscontigurations will be incorporated into multivariate survival models. This research incorporates the economic impact of various decisions as a means of determining the Optimal distribution of costs and liability when applied to information security and in particular when assigning costs in computer system security and reliability engineering. The objective of this research is to produce an innovative modelling architecture designed around information systems security and risk based reliability and survivability analysis. The objectives of the research are: (1) To address the critical limitations (Jeanblanc Valchev, 2005) that are associated with reliability engineering in regards to computer systems. This will be completed with competing risks analysis and multivariate survival analysis coupled with a game theoretic approach. Data collected from an analysis of systems in the field will be used to test assumptions. These assumptions (Marti, 2008) include: a. constant and homogenous failure rates, b. binary failure and univariate reliability, 0. censoring of failure data, and d. independent failures. (2) To produce a methodology for the creation and testing of hazard and survival models for information systems. This will become a risk based quantitative approach to reliability and survivability engineering. (3) To incorporate methods that represent the effects of misaligned incentives and their consequence to security controls. To do this, it is necessary to recognise that information security is a risk function (Anderson, Longley Kwok, 1994). Paying for too much security can be more damaging in economic terms than not buying enough. This leads to decisions about where the optimal expenditure on damage prevention should lie. This research will investigate who should be responsible for the security failures that are affecting the economy and society and how can this be maximized in order to minimize negative externalities (Cohen, 1976). The conclusions will be presented using an empirical study of software hazard rates and audit failures along with the question of how to enforce liability in a global economy. The research is intended to address some of the economic issues that are arising due to an inability of assign risk correctly, a failure to measure risk as well as looking at the misalignment of information systems audit and the compliance regime. The externalities that restrict the development of secure software and how the failure of. the end user to apply controls makes it less probable that a software vendor will enforce stricter programming controls with failures in the audit and measurement processes are addressed. This includes a look at the misalignment of audit to security. This misalignment is demonstrated to result from the drawing of funds from security in order to provide compliance with little true economic gain (Wright, 2010). The introduction of Game Theory and Behavioural Economics (Anderson, 2001; Anderson, Moore, 2006; Varian, 2004) have created a foundation for the rationalisation of information security processes which lead to improved allocation of economic resources. The optimal distribution of economic resources across risk allocations in information system can only lead to ZIPage Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 79 of 105 a combination of more secure systems for a lower overall cost. This research will incorporate the game theoretic multi-player decision problem. Agents in the model will be deemed to be rational with well-defined preferences, include the ability to reason strategically using their knowledge and belief of other players and to act according to a combination of both economic "?rst thought? and deep strategic thinking (Nissan, et. al., 2007). Solutions to these models will be sought through a combination of the following game devices: a Equilibrium: evolutive (steady state) games - Heterogeneous sequential games Rationalisability: deductive reasoning The models will detail the existence of strictly dominating games where these exist in information security practices and propose methods to improve these models. Existing information security practices in existing organisations will be classi?ed into the following game types: it Non-cOOperative vs. c00perative game - Strategic vs. extensive game 0 Perfect vs. imperfect information Bounded rationality, behavioural game aspects and other feedback effects will be investigated (Nissan, et. a1., 2007). Social capital based on fairness and reciprocity will be de?ned as it applies to the economically ef?cient application of risk processes associated with Information systems. Contract Theory will be used to explain the creation of agreements and ?contracts? in the presence of information asymmetry. This is approached through the combination of adverse selection, moral hazards and the ?signailing game?. In this, adverse selection is defined as the ?Principal not having been informed of the other agent?s private information ear-ante? such as in George Akerlof?s ??Marketfor lemons? (1970). This application of game theory has been asserted to explain many aspects of the software industries predisposition to create insecure software (Anderson, 2001). Arora, Telang and Xu (2004) asserted that a market?based mechanism for software vulnerabilities would necessarily underperform a CERT-type mechanism. The market that they used was a game theoretic pricing game. In the model reported, the players in the market do not report their prices?. These players use a model where information is distributed simultaneously to the client of the player and the vendor. The CERT model was touted as being the most favourable solution. The research will demonstrate that the examined "market" model is in itself sub-optimal. It both creates incentives to leak information without proper safeguards and creates vulnerability black-markets that rely on waiting until a patch was publically released and only then releasing the patch to the public. This ignores many externalities and assumes the only control is a patch in place of other alternative compensating controls. it is to be demonstrated that there are ?aws with this approach that can be solved through the creation of a security and risk derivative market for software. The user would have an upfront estimate of the costs and this could be forced back to the software vendor. Where the derivative costs more than testing, the vendor would conduct more in-depth testing and reduce the levels of bugs (Bacon et. al. 2009). 1.2 Our contribution and Technical Approach We intend to present an analysis using empirical studies to determine and model the cost of finding, testing and fixing security vulnerabilities. The goal of this research project is to create a series of quantitative models for information security. Mathematical modelling techniques that 1 iDefense Ltd. and other similar providers have a semi-closed market with limited intermation exchange. /l Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 80 of 105 can be used to model and predict information security risk will be developed using a combination of techniques including: Economic theory, and Econometrics Quantitative financial modelling, Behavioural Economics, Algorithmic game theory and 0 Statistical hazard/survival models. The models will account for heteroscedastic confounding variables and include appropriate transforms such that variance heterogeneity is assured in non-normal distributions. Process modelling for integrated Poisson continuous~time process for risk through hazard will be developed using a combination of: a Business ?nancial data (company accountancy and other records), - Anti-Virus Industry data 0 Legal databases for tortuous and regulatory costs and lnsuran ce datasets. This data will be coupled with hazard. models created and validated using .Honeynets Project Honeynet), reporting sites such as the Internet Storm Centre and iDefence. The combination of this information will provide the framework for a truly quantitative security risk frameworkz. At present, the DShield storm centre receives logging from over 600,000 organisations. This represents a larger quantity of data than is used for actuarial data in the home insurance industry. The problem being that this information is not collated or analysed in any quantitatively sound manner. This research will model survival times for types of applications using the body of research into quantitative code analysis for risk. The research will create a series of models (such as those used within mechanical engineering, material science etc) for information Risk. Some of the methods that are planned testing in the creation of the risk framework will include: a Random forest clustering, K-means analysis, Other classification algorithms, and a Network associative maps in text analysis forensic work. The correlation of reference data (such as IP and functional analysis data) between (Command and Control) systems used in ?burners? is one aspect of this research. Starting from the outside (the cloud and perimeter) and working inwards to the network, the risk model would start by assessing external threats and move into internal threat sources, becoming gradually become more and more granular as one moves from network. to individual hosts and finally to people (user behaviour (Varian, 2004)) and application modelling (Guo, Jarrow, Zeng, 2005). The eventual result will be the creation of a model that can. incorporate the type of organisation, size, location, application, systems used, and the user awareness levels to create a truly quantitative risk model. This would be reported with SE (standard error) and con?dence level rather than a point estimate. Code to import data from hosts and networks, using raw ?pcap traces?3 will be developed such that system statistics and other data can be collated into a standardised format. This code will be developed in and This will enable the 2 Support has been sought and received from SANS (including DShield), (Centre for Internet Security) and the l-Ioneynet project. Pcap is a packet capture standard supported by both open source and commercial network capture equipment. ?page Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 81 of 105 creation and release of actuarial threat risk models that incorporate heterogeneous tendencies in variance across multidimensional determinants while maintaining parsimony. I foresee a combination of Heteroscedastic predictors etc) coupled with non~pararnetric survival models. I expect that this will result in a model where the underlying hazard rate (rather than survival time) is a function of the independent variables (covariates). Cox's Proportional Hazard Model with Time-Dependent Covariates would be a starting point, going to non- parametric methods if necessary. The end goal will be to create a framework and possibly a program that can assess data stream based on a number of dependant variables (Threat models, system survival etc) and covariates and return a quanti?ed risk forecast and standard error. Utility to Department of Homeland Security When a system fails, it often can fail in numerous ways with several causes for the failure (Crowder 2001). Censored observation management can be considered the principal factor in?uencing survival analysis. Survival analysis and has deveIOped rigorous procedures and methods effective for the treatment of censored data based on probability theory, counting and stochastic process as well as the Martingale central limit theorem. References to the univariate analysis of survival is found in Cox (1972), Cox and Cakes (1984), Fleming and Harrington (l991), Andersen et a1 (1993), Kalb?eisch and Prentice (1980, 2002), Klein and Moeschberger (2003), Ibrahim et al. (2005), Lawless (1982, 2003), Ma and Krings (2008). Modeling risk allows it to be measured and controlled. This work and research follows and continues: Wright, Craig S. and Zia, Tanveer A. (2010) The Economics of Developing Security Embedded Sofnvare, Proceedings of the 8th Australian Information Security Management Conference, Edith Cowan University, Perth Western Australia, 30th November 2010 Charles Sturt University and (forthcoming) Wright, Craig S. and Zia, Tanveer A Quantitative Analysis into the Economics of Testing So?ware Bugs, Proceedings of 4th international Conference on Computational Intelligence in Security for Information Systems CISIS 201 June 8?10th, 201 1 Wright, Craig S. and Zia, Tanveer A Rationality Opting for the Insecure Alternative: Negative Externalittes and the Selection ofSecarity Controls, Proceedings of 4th International Conference on Computational intelligence in Security for Information Systems CISIS 2011 June 8-10th, 2011 Personnel and Performer Quali?cations and Experience Craig Wright (Full CV too long and is available in request) Over the years Craig has personally conducted and managed in excess of 1,600 IT security related engagements for more than 180 Australian and international organizations in both the private and government sectors. As a strong believer in life-long learning, Craig has quali?cations in Law, IT, Mathematics and Business. However, his driving focus is research and development in the security and risk arena. He is the first person to have obtained multiple GSE certifications (Malware and Compliance) Craig designed the architecture for the world?s first online casino (Lasseter?s Online) in the Northern Territory; as well he has, in the past, designed and managed the implementation of many of the systems that protect the Australian Stock Exchange. To add to these accomplishments he has authored IT security related books and articles as well as designed a new university program for Charles Sturt University in mags /l Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 82 of 105 New South Wales, Australia which will offer a Master in Digital Forensics. This program commenced in 2010 and be offered as an on campus and distance education program. Dave Kleiman Dave Kleiman is a noted Forensic Computer Investigator, an author/coauthor of multiple books and a noted speaker at security related events Bob Radvanovsky, CIFI, CISM, REM, CIPS, lnfracritical, Inc. Principle, SCADA expert and Author URL: implications/dp/l 616928050 URL: URL: Preparedness/dp/1420095277 URL: 2 URL: 1420063782 Commercialization Capabilities and Plan The principles are experienced researchers and businessmen in the realm of Information Security. The research will be conducted in conjunction with Charles Sturt University and will follow the standard commercialization processes of the University (these prdcesses are available online). Further, this project will create a large body of public and academic knowledge and scientific research that could also be used by other companies and Universities in the creation of further models and structures that will lead to the securing of more systems again. Costs, Work, and Schedule Amount Requested (in dollars): $2,200,000.00 Duration: 36 months The funding request will provide full scholarships and positions for three (3) candidates to aide in the research and investigation of software security issues and solution, the creation of economic models and the publication of an expected 20-30 papers in this ?eld. The period is set to three years which includes the completion of the projects and the creation of the market, insurance and derivative models. - Funding $480,000 - Supervision $350,000 Survey and data Analysis $230,000 - Research Fellowships (2) $260,000 - Administration $120,000 Costs (Computational Systems) $660,000 Support Costs (Coding) $300,000 6 I l3 a Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 83 of 105 BAA Number: BAA Offeror Name: INFO DEFENSE RESEARCH LLC Title Risk Quantification Date: 07/04/2010 Operational Capability: The research is intended to address some of the economic issues that are arising due to an inability of assign risk correctly, a failure to measure risk as well as looking at the misalignment of information systems audit and the compliance regime. The extemalities that restrict the development of secure software and how the failure of the end user to apply controls makes it less probable that a software vendor will enforce stricter programming controls with failures in the audit and measurement processes are addressed. This includes a look at the misalignment of audit to security. This misalignment is demonstrated to result from the drawing of funds from security in order to provide compliance with little true economic gain (Wright, 2010). Proposed Technical Approach: Schedule, Cost, Deliverables, Contact Info: The objective of this research is to produce an Deliverables: innovative modeling architecture designed 3040 published papers around information systems security and risk based reliability and survivability analysis. The objectives of the research are: 3 Thesis' in the field A commercial model for modeling information risk (1) To address the critical limitations (Jeanblanc Valchev, 2005) that are associated Several published papers have been released with reliability engineering in regards to (forthcoming include) computer systems. This will be completed with Wright, Craig 5. and Zia, Tanveer A (201 1) A competing and Quantitative Analysis into the Economics of Testing survival analysis coupled with a game theoretic Software Bugsa proceedings of (31313 2011 June 3. approach. Data collected from an analysis of 10th, 201 1 systems in the ?eld will be used to test .. - . . . . 11g t, Craig S. and Zia, Tanveer A (20] l) A These assumptlons (Mam? 2008) Rationally Opting for the Insecure Alternative: mdUdB: Negative Externalities and the Selection of Security a. constant and homogenous failure rates, (301131315, proceedings of (31313 20113201} b. binary failure and univariate reliability, Corporate Information: c. censoring of failure data, and Dave Klein-lam d- independent failures INFO DEFENSE RESEARCH LLC (2) To produce a methodology for the 437} Norhtgake #314 creation and testing of hazard and survival Palm Beach models for information systems. This will become a risk based quantitative approach to FL 33410 623? reliability and survivability engineering. Phone: 5613108801. (3) To incorporate methods that represent Email: the effects of misaligned incentives and their consequence to security controls. Authorized Representative: Craig Wright Signature: Til-Page Proposal White Paper BAA number, - Title of proposal; Name of offeror Administrative Contact: Company Name: Mailing Address (Line Mailing Address (Line 2): City: State Zip Code: Phone: Fax: TIN: Technical Contact: Company Name: Mailing Address (Line 1): Mailing Address (Line 2): City: State Zip Code: Phone: Fax: TIN: INFO DEFENSE RESEARCH LLC is a Joint Venture Company between a US Vet. Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 84 of 105 (Type 1) BAA Software Assurance through Economic Measures INFO DEFENSE RESEARCH LLC Dave Kleiman INFO DEFENSE RESEARCH LLC 4371 Norhtlake #314 Palm Beach FL 33410 6253 5613108801 NA 274997114 Craig Wright INFO DEFENSE RESEARCH LLC 4371 Norhtiake #314 Palm Beach FL 33410 - 6253 +612 43621512 NA 274997114 Owned Enterprise and an Australian Research Company. Amount Requested (in dollars): Duration: Requested Starting Date: Business Type: 1 Page $650000.00 36 months 07/04/201 1 Small Business Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 85 of 105 Executive Summary The de?ciency of published quantitative data on software development and systems design has been a major ground for software engineering?s failure to ascertain a prOper scienti?c foundation. Past studies into coding practice have focused on software vendors. These developers have many distinctions from in-house projects that are not incorporated into the practices and do not align well with in?house corporate code development. In the past, building software was the only option but as the industry developed, the build vs. buy argument has swung back towards in-house deveiopment with the uptake of Internet connected systems. In general, this has been targeted towards specialized web databases and online systems with of?ce systems and mainstream commercial applications becoming a ?buy? decision. As companies move more and more to using the web and as ?cloud applications? become accepted, in?house development is becoming more common. This paper uses an empirical study of in?house software coding practices in Australian companies to both demonstrate that there is an economic limit to how far testing should proceed as well as noting the deficiencies in the existing approaches. 1.1 Related Work Other studies of coding processes and reliability have been conducted over the last few decades. The majority of these have been based either on studies of large systems and main??ame based operations or have analyzed software vendors. In the few cases where coding practices within individual organization have been quantitatively analyzed, the organizations have been nearly always large telecommunications ?rms or have focused on SCADA and other critical system providers. Whilst these results are extremely valuable, they fail to reflect the state of affairs within the vast majority of organizations. With far more small to medium businesses coupled with comparatively few large organizations with highly focused and dedicated large scale development teams (as can be found in any software vendor), an anaiysis of in?house practice is critical to both security and the economics of in-house coding. As the Internet becomes ail persuasive, internal coding functions are only likely to become more prevalent and hence more crucial to the security of the organization. 1.2 Our contribution We intend to present an analysis using empirical studies to determine and model the cost of ?nding, testing and ?xing software bugs. We model the discovery of bugs or vulnerabilities in using quantitative functions and calculate the defect rate per SLOC (source line of codes) using Bayesian calculations. The end solution to the limited and subwoptimal markets that currently exist would be the creation of Hedge ?inds for software security. Sales in software security based derivatives could be created on forward contracts. One such solution is the issuing of paired contracts (such as ZlPage Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 86 of 105 exist in short sales of stocks). The ?rst contract would be taken by a user and would pay a fixed amount if the software has suffered from any unmitigated vulnerabilities on the (forward) date speci?ed in the contract. The paired contract would cover the vendor. If the vendor creates software without fiaws (or at least mitigates all easily determinable flaws prior to the inception of the contract) the contract pays them the same amount as the first contract. This is in effect a 'bet' that the software wili perform effectively. If a bug is discovered, the user is paid a predetermined amount. This amount can be determined by the user to cover the expected costs of patching and any consequential damages (if so desired). This allows the user to select their own risk position by purchasing more or less risk as suits both the risk tolerance and the nature of the user's systems. Such a derivative (if an open market is allowed to exist) would indicate the consensus opinion as to the security of the software and the reputation of the vendor. Such an instrument would allow software vendors and users to hedge the risks faced by undiscovered software vulnerabilities. These instruments would also be in the interest of the software vendor's investors as the ability to manage risk in advance would allow for forward ?nancial planning and limit the negative impact that vulnerability discovery has on the quoted prices of a vendors capital. This project will model the security of software coding practices in a manner that will lead to fewer economic externalities Utility to Department of Homeland Security The game theoretic approach to this can be modeled looking at the incentives of the business and programming functions in the organization. Programmers are optimists. As Brooks noted, "the first assumption that underlies the scheduling of systems programming is that ail will go well". Testing is rarer considered by the normal programmer as this would imply failure. However, the human inability to create perfection leads to the introductions of flaws at each stage of development. Technical Apprbach Just as car dealers buff the exterior and detail the upholstery of a used car, neglecting the work that should be done on the engine, software vendors add features. Most users are unlikely to use even a small fraction of these features, yet they buy the product that offers more features over the more secure product with fewer features. The issue here is that users buy the features over security. This is a less expensive option for the vendor to implement and provide. The creation of a security and risk derivative should change this. The user would have an upfront estimate of the costs and this couid be forced back to the software vendor. Where the derivative costs more than testing, the vendor would conduct more in?depth testing and reduce the levels of bugs. This would most likely lead to product differentiation (as occurred in the past with Windows 95/Windows NT). Those businesses who wish to pay for security couid receive it. Those wanting features would get what they asked for. 3 Page Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 87 of 105 it is argued that software developers characteristically do not correct all the security vulnerabilities and that known ones remain in the product after release. Whether this is due to a lack of resources or other reasons, this is unlikely to be the norm and would be recti?ed by the market. The cost of vendors in share price and reputational losses exceed the perceived gains from technical reasons where the ?x might break existing applications. The application is already broken in the instance of a security vulnerability. Users couid still run older versions of software and have few, if any,L bugs. The issue is that they would also gain no new features. It is clear that users want features. They could also choose to use only secure software, but the costs of doing so far outweigh the bene?ts and do not provide a guarantee against the security of a system being compromised. As such, the enforced legislation of security standards against software vendors is detrimental. A better approach would be to allow an open market based system where vendors can operate in reputational and derivative markets. At the end of any analysis, security is a risk function and what is most important is not the creation of perfectly security systems, but the correct allocation of scarce resources. Systems need to be created that allow the end user to determine their own acceptable level of risk based on good. information. The goal of this research project is to create a series of quantitative models for information security that can be used to create a software security derivative and insurance market. Mathematical modeling techniques that can be used to model and predict information security risk will be developed using a combination of techniques including: - Economic theory, and Econometrics - Quantitative ?nancial modeling, - Behavioral Economics, - Algorithmic game theory and - Statistical hazard/survival models. The models will account for heteroscedastic confounding variables and. include appropriate transforms such that variance heterogeneity is assured in non?normal distributions. Process modeling for integrated Poisson continuous-time process for risk through hazard will be developed using a combination of: - Business ?nancial data (company accountancy and other records), 0 Anti-Virus industry data - Legal databases for tortuous and regulatory costs and - insurance datasets. This work and research follows and continues that published as: Wright, Craig S. and Zia, Tanveer A. (2010) The Economics of Developing Security Embedded So?ware, Proceedings of the 8th Australian Information Security Management Conference, Edith Cowan University, Perth Western Australia, 30th November 2010 4 ?age Case 9:18-cv-80176-BB Document 24-4 Entered on FLSD Docket 05/14/2018 Page 88 of 105' 43 Charles Sturt University I l. 01&context=ism and Wright, Craig S. (2010) So?war'e, Vendors and Reputation: an analysis ofthe dilemma in creating secure software, Proceedings of InTrust 2010 The Second International Conference on Trusted Systems 13th 15th December 2010 Beijing, P. R. China Charles Sturt University and (forthcoming) Wright, Craig S. and Zia, Tanveer A (201 Quantitative Analysis into the Economics of Testing Software Bugs, Proceedings of 4th International Conference on Computational Intelligence in Security for Information Systems CISIS 2011 June 8-10th, 201l Wright, Craig S. and Zia, Tanveer A (201 l) A Rationally Optiogfor the Insecure Alternative: Negative Externaltties and the Selection of Security Controls, Proceedings of 4th International Conference on Computational intelligence in Security for Information Systems CISIS 2011 June 8-10th, 201 1 Personnel and Performer Quali?cations and Experience Craig Wright (Full CV too long and is available in request) Over the years Craig has personally conducted and managed in excess of l,600 IT security related engagements for more than 180 Australian and international organizations in both the private and government sectors. As a strong believer in life-long learning, Craig has quali?cations in Law, 1T, Mathematics and Business. However, his driving focus is research and development in the security and risk arena. He is the first person to have obtained multiple GSE certi?cations (Malware and Compliance) Craig designed the architecture for the world?s ?rst online casino (Lasseter?s Online) in the Northern Territory; as well he has, in the past, designed and managed the implementation of many of the'systems that protect the Australian Stock Exchange. To add to these accomplishments he has authored IT security related books and articles as well as designed a new university program for Charles Sturt University in New South Wales, Australia which will offer a Master in Digital Forensics. This program commenced in 2010 and be offered as an on campus and distance education program. Dave Kleiman Dave Kleiman is a noted Forensic Computer Investigator, an author/coauthor of multiple books and a noted speaker at security related events Bob Radvanovsky, CIFI, CISM, REM, CIPS, ln??acritical, Inc. Principle, SCADA expert and Author (chapter author) of "Corporate Hacking and Technology-driven Crime: Social Dynamics and implication", ISBN 1616928050 and 9781616928056, Information Science Publishing, July 2010. SIPage Case 9:18-cv-80176-BB Document 24-4 Entered on FLSD Docket 05/14/2018 Page 89 of 105 URL: lmplications/dp/l 616928050 "Challenges Faced by the SCADASEC Mailing List", Protecting Canada's Critical Infrastructure 2010 Control Systems Security Workshop, sponsored by Royal Canadian Mounted Police (Ontario Technological Crime), Public Safety Canada and Emergency Management Ontario (Critical Infrastructure Assurance Program), Wednesday April 14, 2010 and Thursday, April 15,2010. URL: 0-revi ew.zi Author of "Critical Infrastructure: Homeland Security and Emergency Preparedness", Second Edition, 1420095277 and 9781420095272, Taylor 85 Francis CRC Press, December 2009. URL: Preparedness/dp/i 420095277 Contributor (introduction speaker) of?The Year in Homeland Security?, 200872009 Edition (Charles Oldham, editor director), Faircount Media Group. URL: - Author (co-author) of"Transportatior1 Systems Security", ESBN 1420063782 and 9781420063783, Taylor and Francis CRC Press, May 2008. URL: p/l 420063 782 Commercialization Capabilities and Plan The principles are experienced researchers and businessmen in the realm of Information Security. The research will be conducted in conjunction with Charles Sturt University and will follow the standard commercialization processes of the University (these processes are available online). Further, this project will create a large body of public and academic knowledge and scientific research that could also be used by other companies and Universities in the creation of further models and structures that will lead to the securing of more systems again. Costs, Work, and Schedule Amount Requested (in dollars): $650,000.00 Duration: 3 6 months The ?nding request will provide full scholarships and positions for three (3) candidates to aide in the research and investigation of software security issues and solution, the creation of economic models and the publication of an expected 20?30 papers in this ?eld. The period is set to three years which includes the completion of the projects and the creation of the market, insurance and derivative models. - Funding $240,000 - Supervision $180,000 Survey and data Analysis $230,000 Elrage Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 90 of 105 BAA Number: BAA Offeror Name: INFO DEFENSE RESEARCH LLC Title Software Assurance through Economic Measures Date: 07/04/2010 Operational Capability: The project will analyze a sample of at least 1,000 coding projects using existing static analysis tools, manual code review and related techniques. Where these methods are lacking, proposals and methods to integrate existing methods and to ?ll the gaps left will be created. Proposed Technical Approach: This project will address and provide measures and The analysis will measure the following coding errors: 0 Format string errors Integer Overflows Buffer overruns SQL Injection Cross?Site scripting Race Conditions Command Injection. Several published papers have been released (forthcoming include) Wright, Craig S. and Zia, Tanveer A (201 1) A Quantitative Analysis into the Economics of Testing Software Bugs, Proceedings of 4th International Conference on Computational Intelligence in Security for Information Systems CISIS 2011 June 8?1011], 2011 Wright, Craig S. and Zia, Tanveer A (201 l)A Rationa?y Optirzgfor the Insecure Alternative: Negative Externaliz?ies and the Selection of Security Controls, Proceedings of 4th International Conference on Computational Intelligence in Security for Information Systems 201 1 June 8-10th, 2011 Schedule, Cost, Deliverables, Contact Info: Provide any milestone decision points that will be required. Describe period of performance and total costs. include the base performance period cost and length, and estimates of cost and of possible option. Deliverables: 20-30 published papers 3 Thesis? in the ?eld A commercial model for software derivatives and insurance markets A means to measure and predict the following coding errors is being developed Format string errors Integer Over?ows Buffer overruns SQL Injection Cross-Site scripting Race Conditions Command Injection. Corporate Information: Dave Kleiman INFO DEFENSE RESEARCH LLC 4371 Norhtlake #314 Palm Beach FL 33410 - 6253 Phone: Email: 5613108801 dave@davek1eiman.com Authorized Representative: Signature: 7 page Craig Wright 5720/ case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 91 of 105 Directorate BAA Cover Sheet A Proposal Does Not Contain Proprietary information Proposal Number: Topic: Proposal Title: Company Name: Mailing Address (Line 1): Mailing Address (Line 2): City: State Zip Code: Phone: Fax: TIN: DUNS 4: CAGE Code: SIC: FICE: Proposal Contains Proprietary Information: Amount Requested (in do/lars): Duration: Requested Starting Date: Business Type: BAA 11-02-TTA 14-0025-WP TTA 14 Software Assurance MarketPlace (SWAMP) Software Derivative Markets Information Security Risk DEFENSE RESEARCH LLC 4371 Norhtlake #314 Palm Beach FL 33410 - 6253 5613108801 274997114 null - No $1 200000.00 36 months 07/04/201 1 Small Business - 50 or Fewer Employees Annual Gross Revenue - 1 Million or Less Small Business to in the Al?davill This is the annexure markeo with the leilet Pjrelerred Wat?rmedldeelaed-betnte me at WY P3931 at 133035 ES DONALD Justice of the Peace Registration 105174 case Document 24-4 Entered on. FLSD Docket 05/14/2018 Page 92 of 105 Directorate BAA Cover Sheet A Proposal Does Not Contain Proprietary lnfonnation Proposal Number: Topic: Proposal Title: Company Name: Mailing Address (Line 1): Mailing Address (Line 2): City: State Zip Code: Phone: Fax: TIN: DUNS 4: CAGE Code: SIC: FICE: Proposal Contains Proprietary information: Amount Requested (in dollars): Duration: Requested Starting Date: Business Type: BAA 11-02-TTA 09-0049-WP 09 - Cyber Economics Risk Quanti?cation INFO DEFENSE RESEARCH LLC 4371 Norhtlake #314 Palm Beach FL 33410 6253 5613108801 274997114 null - No $2200000.00 36 months 07104301 1 Small Business Email Business - 50 or Fewer Employees - Annual Gross Revenue - 1 Million or see case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 93 of 105 Directorate BAA Cover Sheet A I Proposal Does Not Contain Proprietary Information Proposal Number: Topic: Proposal Title: Company Name: Mailing Address (Line 1): Mailing Address (Line 2): City: State 8: Zip Code: Phone: Fax: TIN: DUNS 4: CAGE Code: SIC: FICE: Proposal Contains Proprietary Information: Amount Requested (in dollars): Duration: Requested Starting Date: Business Type: BAA 1 05-0155-WP TTA 05 - Secure, Resilient Systems and Networks SCADA Isolation INFO DEFENSE RESEARCH LLC 4371 Norhtlake #314 Palm Beach FL 33410 - 6253 5613108801 2749971 14 null No $1800000.00 36 months 07/04/201 1 Email Business - 50 or Fewer Employees Annual Gross Revenue - 1 Million or see Small Business case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 94 of 105 Directorate BAA Cover Sheet A Proposal Does Not Contain Proprietary Information Proposal Number: Topic: Proposal Title: Company Name: Mailing Address (Line 1): Mailing Address (Line 2): City: State Zip Code: Phone: Fax: TIN: DUNS 4: CAGE Code: SIC: Proposal Contains Proprietary information: Amount Requested (in dolfars): Duration: Requested Starting Date: Business Type: BAA TTA 01 - Software Assurance Software Assurance through Economic Measures DEFENSE RESEARCH LLC 4371 Norhtlake #314 Palm Beach FL 33410 6253 5613108801 274997114 null - No $650000.00 36 months 07/04f20?i 1 Small Business Small Business - 50 or Fewer Employees - Annual Gross Revenue - 1 Million or Less i we 9 ?lung: Delete 3 Reply Reply: Foo-Jeni i an Rules I {133? Mark Unread Onei'iote Categorize Actions Esta-*2 lignoie 19, To Manage: eam EAmaii Foiiow Lip 9?33? 1? 9* is a And knoxvingjust how quiekbir the error rate might commit a future criminai act rhe SAM signais wit: also go off for (as a smaiisubset}: Whistle blower; - Investigators - journalists Slur software be better. Damn iarge protect out is betterthan FAST. We need to :atch up and discuss how the 6M. progemis Zraig -??~Originai Message-nu mm: Dave Kieir?nan imailto:dave@davekieimantom] am: Monday, 17 October 2011 3:45 AM 0: Dave Kieiman ubject: FAST Project - Minority Report? ou know ?t started out as a good {tick shortstory, than the Minority Report movie, precrime turned out book and the movie, now it is coming We to aide. good oie- .ccording to documents pub?shed tr; the: Depa?memof Homeland Security, FAST is a Minority Report styie initiative that see 5 to eterm?ming the an indivitiuei, who is not suspected of any crime, might commit a future crimina?r act. Linden; program, the DHS wilt cotiect and retain of a mix ?pharsioiogicai and behaviorai signais" {video images, audio rec-or Eng ardiouascular signals, pheromones. eiectrodeirmai awry and respiratory measure ments) from individuaia as they engage in activities. uture Attribute Screening Teohnofogy - espemfuliy, :ave Kieiman - 371 Northiake #314 I. aim Beach Gardens, FL 33410 51.313.8801 This is the annexure matted Wwi?eaamd nature me on the? WW Page?i of i pages with the is;th of at? (5 m0 0 Jusiiceo?he [8 P. hm F3 moms af?e??mton 195m in the Q25 Ai?daii'ii i Case 9 18-cv-80176-BB Document 24-4 Entered on FLSD Docket 05/14/2018 Page 95 of 105 Case; Document 24-4 Entered on FLSD Docket 05/14/2018 96 of 105 . its ices; The following is a response to the request by the ATO, ref. 1011685995901. 1. Income is on hold at present. The ATO has been auditing and reviewing the company following an initial question as to the allocation of GST that lead'to a zero amount in payment overall. I a. income was based on an arrangement with a large mold?national form for the export of software and mathematical aigorithms. The company plans to raise money and sell its IP and software. To do this, it needs to get past the audit phase. No income is expected to when the ATO ailows us to actually carry on a business. {napo- Basicaily, we are conducting research and deveioping capital in the hope that one day the auditing process will actually provide some feedback and we can go to market. This was in progress before the ATO started ceiling clients and placed this on hold. 2. Australia 3. 24x7 lnternationai a. We have published malware papers and processes {peer reviewed) b. We have published statistical libraries c. These can be sold as .Net framework libraries. Large companies such as Microsoft, MacAfee and CA have interest in the IP, but we need to have cleared the audit before we can seli this. 5. Ail contract -- see 2010 tax return. a. income is on hold to when we can sell is. Sales will not start until the audit is compiete c. Sales had started before the ATO started contacting clients who then placed holds on the sales. 6. All work is currently completed by directors and contractors. This is the anaemia mate; with lira islia? A - alienoi mariar?rmedldeelarad before me at onthe 3.51?fo (layst - 33? Pagei 0 page Hours CHARLES 0f the Peace Registration 105174 Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 97 of 105 1. Data warehousing a. Contracting b. Rentai of office space c. Computer systems d. Software e. Previously Existing 1P 2. See folders. a. Q4 2010 has not been completed and hence is not inducted in this. Case Document 24-4 Entered on FLSD Docket 05/14/2018 Plant teasing and core tech. 1. Transfer of deveioped code into the company. a. COCOMO used to cost technology. 2. Leasing of systems for the foilowing 12 months. (351') a i' 93.9555 i i 135-32 91 HO 3 ~3 26,29?? 34,09 Nu 'l?i?c immune System i'l'nmsi?cr nix-mm}; {fags} err i'fcs'cinpa'nm: Stage. in?iinlim! ['nml. Project Value {meiuding Nutc: 'i'iw. Tale! Prujcci \"riim?. in?nite? the 5E3 char? nu! in Selwdule ifmamtgi mpitni 12? {assigned .i cash with the mine In in: paid in MN 5 i'tit?tataxt' I huerch nuts ?ti?ti?hn 51334.73?) Shir"! Fitli?tll Butt Univ 11:51:: 2i 2'0 inh- Litiit?s 8?45} . an. m' gut. - .V is} at?: at Ermine; L?s'ltnitai is to animal {ifnzmisceianci? tit: an embedded cmla. :2 is?. - mm! - :3 i anti win-9.} Ettalt Senate Lines 'i'cam 55?;in i?re?icct (I't?iimpicxs?ry Priming Per Hour Persciiloh'ftmha Person?13W}: 3mm Tami I?ricc {Discounted to three payments at Price Per Lina: Lines Per Page 98 of 105 The IP has been deducted at a rate of 3 years as this is the perceived life of the 1P before patient. This is at $666,666 as 1/3rd of the total costs to date. Case Document 24at: See contract copy on disk t'sr, Direct costs plus iP g: . .. H. aw,? is ?tx (3 :2 it based methodology pius direct costs31than The systems and equipment are used directly in the research and the development of solutions that will be offered for international sale. This Research is directly linked to a candidacy at Charles Sturt University and is related to a research study. The proposal and associated research papers are ayaiiable on request. Entered on FLSD Docket 05/14/2018 Page 99 of 105 Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 100 of 105 {lessees Non-capital acquisitions for the period 01/01/2010 to 31/21/2010 as per purchase schedule. This includes Carbon credits (to offset computers using electricity) and sundry expenses. Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 101 Invoices see disk Payments see disk The foliowing loan contracts have been attached (as prepared by Michie Shehadie and Co and registered}. Loan from Wright Loan from Craig Wright Other Loans (Visa and sundry expenses] This inctudes depreciating assets. These assets are used in the research projects and are key to the development of product. Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 102 R8: intellectual property sold by Craiq Wriqht to Intgqus You have valued the market value of your intellectual property as $2,246,000 (data from your BAS (Craig Wright) for the tax periods Buly Dec 2009) which you sold to two of your companies where you are the Director. You have to provide documents to substantiate that you have incurred these costs during the course of your research and development of your intellectual property. as Please provide substantiation of the above costs by providing the tax invoices with full details of the supplier, date, description and the amounts stated for the purchaseswas? ll? M. Sale Capital assets :53 E: liege: Ea ctr; r. it? 5:13 is a? ties? its?: ?a t; .. ?'rs .-- 2.. gage,- are can?; ci?blg??a :ilstl 333536; it Keish- it} 2323.91.33?: 7: gets its-MEL . .. ., {42. ?2 Cont: acts creates"; hy lanterns,Agp, ;m gun; m; in - .- have attached {$753539} Ll?hiilini?ai?iitb vii LirQ tit-gals. cilia? can? i: sore-1.? affir; :ifs :Elfitliit? what was transferred. i have attached a spreadsheet with the breakdowns of ioans by Wright for total for a 7% interest rate. The total comes to $815,803.61 as 01?01 Jul 2009. The amounts are covered as follows in the spreadsheet under the following headers: Conferences and Travel paid monies for my attendance at conferences These where for my business and education (eg. SANS) Contributions helped me pay the loans used for the legal costs. As per the attached information in the attached email, as per ?Farrugia The Official Receiver (1982) 43 ALR 700? The Doctrine of Exoneration is used in the allocation of these when applied to real property. The teens where for the direct purpose of Integyrs and Research at Lynn?s detriment. These amounts are monies she paid towards the loan each month and are hence loaned to the company. Debt - Purchased contract DeMorgan Pty had a contract for $105,000 pain payments to on sale. Case Document 24-4 Entered on FLSD Docket 05/14/2018 Page 103 of 105 I purchased this in order to by the business of DeMorgan and start DeMorgan Information Security Systems and this contract and the IP associated with it was transferred into integyrs. Ms gnaw seesaw?? ii for software Cost basis and transfer for prior assets. Assets and shares moved from prior companies set as per court order issued by NSW Supreme court. -. M. . .. .. gees. ?35,312. 2 are; ?53 ?g v. Tra ester" 0% $3,100,006err-r?. Trasrsfer e: cede, dessges eat; assets are es c: seem std: igiffinGgQOfi . 4 ire a As deter r?ii?iE?fU ea aromas-ems: Lam-tic rem a cam-.9; Mt} "a Mun-s.? ,s 303388 Quip-r 60331363? {is 31333:: as a: {Bid Computer 5 a ?323:: :otai Gains ., Tetai messes $334,; Cage Document 24-4 Entered on FLSD Docket 05/14/2018 Page 104 of 105 Viz gr? 15mm s; 31R a. 2:72:32 32 2 at ?5 2. See folder 1 statement. Caee Document 24-4 r. *7 ?6 ?s 7?3 :33. ?ea?g 5?.ng 2:2 Yes, mtegyrs is registered with Ausindustry. R2010976 Entered on FLSD Docket 05/14/2018 Page 105 of 105